[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKvdgaNyft4H0fNbL7Ac7t28=bxDqThJv8RVg8Z0Dk4qQAtt+w@mail.gmail.com>
Date: Wed, 7 Dec 2016 12:30:36 +0100
From: Rio Sherri <rio.sherri@...nstudent.info>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software :
https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31
# MOV DWORD PTR SS:[ESP],1
# .........................
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails
to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that
is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution
flow we can't because every address on the DualServ.exe
# contains 00 which is a badchar in our case.
#
View attachment "exploit.py" of type "text/x-python" (2154 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists