bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/43366.md
Offensive Security f93f05e46f DB: 2017-12-20 
12 changes to exploits/shellcodes

Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free
Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free
Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD
Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow
Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable
Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read
Intel Content Protection HECI Service - Type Confusion Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
BrightSign Digital Signage - Multiple Vulnerablities
Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection
2017-12-20 05:02:22 +00:00

2.1 KiB
Raw Blame History

TeamViewer Permissions Hook V1

License

A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions.

Features

  • As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.
  • As the Client - Allows for control of mouse with disregard to servers current control settings and permissions.

Demo

As the Server

Client

Rundown

  • Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes.
  • Inject and follow the steps

Requirements

  • Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe"
  • This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported)

Disclaimer

  • Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse.

Credit

@timse93 - Research and Testing

EDB-Note

Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43366.zip