This Metasploit module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.
95c0e11fc546ab62299c2204c0f7af71c9e0fb6c816a661a92afe279a76f00e3This Metasploit module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user. This module specifically attempts to exploit the blind variant of the attack. The module was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Please see the Hikvision advisory for a full list of affected products.
7bd3dd72f17285cba701691f5d8795c84e79f211db3e6ea8a840141f658935a5Hikvision Web Server Build 210702 suffers from a command injection vulnerability.
6f3b4e5a9c425280adc8f7457f3b39a4875de53beec44c5e9cbfa151788ff314Various Dahua products suffers from multiple authentication bypass vulnerabilities.
66a03da92987a6569f5307f07b523fb513dace3c8abdca7b0afd1663333b0074Realtek Managed Switch Controller (RTL83xx) stack overflow proof of concept exploit.
8417f5ac297221870b1278fe55e87ecd0ea4b3b2fb96580c260a7af6047372feRealtek Managed Switch Controller RTL83xx suffers from a stack overflow vulnerability. Full exploit provided.
daad979bdb31e634811f0e9312a82af604ae5987ca01e5eda1c9143b7a22d7f1Geovision Inc. IP Camera and Video Server remote command execution proof of concept exploit.
f762d019583e0d7096722348281e9a3c4ba29f54f060ab1b5ed4d4e9e947c0f4Geovision Inc. devices GV-BX1500 version 3.10 2016-12-02 and GV-MFD1501 version 3.12 2017-06-19 suffer from remote command execution, stack overflow, double free, and other vulnerabilities.
7a2bf67cd575912d572ecc402f32d09f5809e3d7f3a5c416391dbfd0d2bf6af2Vitek suffers from remote code execution and information disclosure vulnerabilities.
36b755c413f68ed7d8c305cdf788057e673cd80cf01ba95098c9d058f2a64956The nsd binary shipping with multiple camera security systems suffers from a format string vulnerability.
0158af91f1804a0e9359005af8cc870bf882c536878b03e5930291a42bb7217aAxis Communications MPQT/PACS suffers from heap overflow and information leakage vulnerabilities.
5c70ff5167b04f198b52c0dc3f8309937d69063f123eca02784c45bea1eb2e02Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101.
71b66ef8a75c88f47a5fd31b62fc8f98a8a75e48182e0b0e2d2cae1901cc3693Dahua devices suffer from an insecure direct object reference vulnerability.
a982ef726f5b67f57c856a0336a232fcb4a9e04b3edb4f0bbeb38062c5d918f6Synologic NAS suffers from an IP blocking bypass vulnerability.
c05fd9b53966972f034228ae1c6b8442f84c27015716fc54eb3e8028bd12c158QNAP NVR and NAS devices suffer from multiple overflows. Various makes and models are affected. Full exploitation details provided.
50bac483dc2e24f3cddd99589927b3bbac37f93e4ade152d8b4621ed7ea7e93bQNAP NAS devices suffer from a heap overflow vulnerability.
fa73a21e0bbd2e13fd20df8e55fc2fe81d9dc8dd6387d1825476705b14ab1377This write up provides code of the 'two-write-where-and-what' format string (FMS) exploitation technique and how to exploit it when located on the heap.
16841cd5b6ed14ba9eb7eb5ef0c058099fb5874500ad3084fa66dcad12dcd4d8Axis Communications MPQT/PACS Server Side Include (SSI) remote format string exploit that provides a connect-back root shell.
581d58f31b42ec0fd4f623e4f07fe9d1a20069ed433eac4bbf372d1675a12c75Axis versions 2100, 2110, 2120, 2420, and 2130 Network Camera along with the 2400 and 2401 Video Servers are susceptible to passwd file retrieval vulnerabilities, unauthenticated admin user additions, and hardcoded login/password flaws.
d1d78c221379418bea65762e89060fc19d494c26f885bd544cfcb10625efd868Cisco IOS HTTP Server Vulnerability Scanner - This code scans a Cisco router/switch for vulnerability, and as an option fetching the configuration, without any authentication as described here. Cisco bug ID CSCdt93862. Tested on Linux and OpenBSD.
81d881c2b33df0e7b482f1d03c843a9f8271bf7f2c9576f3f52ef9e116a990b5
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed