vendor:
Dual DHCP DNS Server
by:
R-73eN
N/A
CVSS
N/A
Buffer Overflow
N/A
CWE
Product Name: Dual DHCP DNS Server
Affected Version From: Dual DHCP DNS Server 7.29
Affected Version To: Dual DHCP DNS Server 7.29
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 SP1 (32bit)
2016
Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
The software crashes when it tries to write to an invalid address. MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input MOV DWORD PTR SS:[ESP+4],31 MOV DWORD PTR SS:[ESP],1 ......................... MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes. I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7) Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe contains 00 which is a badchar in our case.
Mitigation:
N/A
