Full Disclosure mailing list archives

Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)

From: Rio Sherri <rio.sherri () fshnstudent info>
Date: Wed, 7 Dec 2016 12:30:36 +0100

# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software :
https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31
# MOV DWORD PTR SS:[ESP],1
# .........................
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails
to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that
is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution
flow we can't because every address on the DualServ.exe
# contains 00 which is a badchar in our case.
#

Attachment: exploit.py
Description:


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Dual DHCP DNS Server 7.29 Buffer Overflow (Dos) Rio Sherri (Dec 09)