CVE-2015-3036
published 2015-05-21CVE-2015-3036: Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in certain NETGEAR products, TP-LINK…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
27.91%
97.9th percentile
Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in certain NETGEAR products, TP-LINK products, and other products, allows remote attackers to execute arbitrary code by providing a long computer name in a session on TCP port 20005.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x56\x05
bytes↗
\x56\x03
- →Detect exploit attempts by monitoring for TCP connections to port 20005 where the computer name field length is >= 128 bytes (DOS_BYTES = 128 triggers the stack buffer overflow). ↗
- →The exploit initiates sessions with a 2-byte magic hello packet (\x56\x05 or \x56\x03) followed by 16 bytes of random data for AES handshake; alert on TCP port 20005 sessions starting with these byte sequences. ↗
- ·The DoS exploit (38566) was tested on NETGEAR DC112A; behavior on other affected vendors (TP-LINK, etc.) may differ. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetUSB - Kernel Stack Buffer Overflow
exploitdb·2015-10-29·CVSS 10.0
CVE-2015-3036 [CRITICAL] NetUSB - Kernel Stack Buffer Overflow
NetUSB - Kernel Stack Buffer Overflow
---
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: NetUSB Kernel Stack Buffer Overflow
# Date: 9/10/15
# Exploit Author: Adrian Ruiz Bermudo
# Vendor Homepage: http://www.kcodes.com/
# Version: Multiple: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
# Tested on: NETGEAR DC112A
# CVE : CVE-2015-3036
import socket
import sys
import random
import string
import time
import struct
from Crypto.Cipher import AES #pip install pycrypto
DOS_BYTES = 128 #BoF
TIMEOUT = 5
RECV_SIZE = 16
PORT_DEFAULT = 20005
AESKey = "\x5c\x13\x0b\x59\xd2\x62\x42\x64\x9e\xd4\x88\x38\x2d\x5e\xae\xcc"
print "#"
print "# Exploit KCodes NetUSB | Kernel Stack Buffer Overflow | Den
Exploit-DB
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution
exploitdb·2015-10-14·CVSS 10.0
CVE-2015-3036 [CRITICAL] Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution
---
#!/usr/bin/env python
# Source: http://haxx.in/blasty-vs-netusb.py
#
# CVE-2015-3036 - NetUSB Remote Code Execution exploit (Linux/MIPS)
# ===========================================================================
# This is a weaponized exploit for the NetUSB kernel vulnerability
# discovered by SEC Consult Vulnerability Lab. [1]
#
# I don't like lazy vendors, I've seen some DoS PoC's floating around
# for this bug.. and it's been almost five(!) months. So lets kick it up
# a notch with an actual proof of concept that yields code exec.
#
# So anyway.. a remotely exploitable kernel vulnerability, exciting eh. ;-)
#
# Smash stack, ROP, decode, stage, spawn userland process. woo!
#
# Currently this is weaponized for one target d
No writeups or analysis indexed.
http://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.htmlhttp://packetstormsecurity.com/files/131987/KCodes-NetUSB-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/133919/NetUSB-Stack-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2015/May/74http://seclists.org/fulldisclosure/2015/Oct/50http://www.kb.cert.org/vuls/id/177092http://www.securityfocus.com/bid/74724http://www.securitytracker.com/id/1032377https://www.exploit-db.com/exploits/38454/https://www.exploit-db.com/exploits/38566/https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txthttp://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.htmlhttp://packetstormsecurity.com/files/131987/KCodes-NetUSB-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/133919/NetUSB-Stack-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2015/May/74http://seclists.org/fulldisclosure/2015/Oct/50http://www.kb.cert.org/vuls/id/177092http://www.securityfocus.com/bid/74724http://www.securitytracker.com/id/1032377https://www.exploit-db.com/exploits/38454/https://www.exploit-db.com/exploits/38566/https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
2015-05-21
Published