# Date : 07/12/2016 # Author : R-73eN # Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit) # Vendor : http://ift.tt/2haw5Tv # Software : http://ift.tt/2grwjqV # Vulnerability Description: # The software crashes when it tries to write to an invalid address. # # MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input # MOV DWORD PTR SS:[ESP+4],31 # MOV DWORD PTR SS:[ESP],1 # ......................... # MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes. # # I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7) # Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe # contains 00 which is a badchar in our case. #
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment