Full Disclosure mailing list archives
Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
From: Rio Sherri <rio.sherri () fshnstudent info>
Date: Wed, 7 Dec 2016 12:30:36 +0100
# Date : 07/12/2016 # Author : R-73eN # Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit) # Vendor : http://dhcp-dns-server.sourceforge.net/ # Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download # Vulnerability Description: # The software crashes when it tries to write to an invalid address. # # MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input # MOV DWORD PTR SS:[ESP+4],31 # MOV DWORD PTR SS:[ESP],1 # ......................... # MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes. # # I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7) # Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe # contains 00 which is a badchar in our case. #
Attachment:
exploit.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Dual DHCP DNS Server 7.29 Buffer Overflow (Dos) Rio Sherri (Dec 09)