So this is how I have fun now

While Googling for more information on exploits of the SYM06-010 vulnerability, I got side tracked looking at the Information Security Office website at Carnegie Mellon University. They’ve put together an EXE that checks for all vulnerable versions of Symantec Antivirus version 10 and applies the appropriate patches.
Most companies have only deployed one specific build of each major version of SAV so they don’t need to go to so much trouble. I for example had been running 10.0.2.2000 when this came out. So it was a simple matter to upgrade to apply the patch. I thought it would be interesting to look at the language they used to create this EXE and apply the patch to a more heterogeneous SAV environment.
Looking at their executable, I quickly found that the EXE could not be opened with WinZip or Unrar.
Upon further investigation I found that the EXE unpacked itself to a temp directory \7zSA9.tmp. In that directory I found another exe and a folder containing all of the MSP patches needed for this vulnerability. This new EXE also could not be opened with WinZip or Unrar. A closer examination with ‘strings’ (I used the former Sysinternals program now available through Technet) revealed this file was packed with UPX. I used UPX to decompress, but did not make further progress.
Moving back up a step, I found that the version tab indicated that this file was created with AutoIT version 3. AutoIT is a basic scripting language. AutoIT has a utility for converting EXEs back to script format, but I found that a password was required. Strings did not find anything that worked as a password.
Further investigation led to a suggestion that a breakpoint could be set with a debugger pointing to the location of the password in the stack. I must have skipped reading that chapter in my forensics class. It was about this time, that I decided its pretty late and I’m going to call it a night. I’m not very good at this. ๐Ÿ™‚