Vulnerability Development mailing list archives
Re: Possibly exploitable overflow in Alibaba 2.0
From: W.H.J.Pinckaers () CPEDU RUG NL (W.H.J.Pinckaers)
Date: Fri, 29 Oct 1999 18:38:05 MET
Hello all together, (Greet stolen from dullien () gmx de) ;)
Tried a little freeware webserver named Alibaba 2.0 today and found an exploitable overflow. I telnetted to 127.0.0.1:80 and crashed it using POST [enter 1028 'x'] / HTTP/1.0
Could you point us to the web site that is distributing this software? Along with a guess of the number of users of this webserver? And on what OS//CPU does the webserver run? Linux ? Wintendo?
From a disassembled listing I found that it uses a scanf("%s %s %s", szName, szFile, szSomething); where szFile is a local variable of 0x400 (=1024) bytes on the stack directly above the return address. Coding an exploit for this is going to be a little tricky as it mustn't have any 0x20, 0x00, 0x61-0x7A in it since these bytes are changes by the foregoing function that converts everything into uppercase.
I have such shellcode on the shelf, since this is needed by quite a lot of other webservers to. (Shellcode for Linux/X86) if you want it drop me a mail. An other solution is to put the shellcode in another place then in the buffer that gets struppered. For instance in the Host: tag in the http request so that the exploit would look like this: POST lots of return addresses without 0x00, ' ' and 'A'-'Z' / HTTP/1.0 Host: your shellcode (off course host can be replaced by all other valid tags, or even an invalid tag)
I contacted the authors but they stated since its freeware there will be no support to it :) If someone wants to code a full exploit, go ahead :)
(Are they running this webserver? if so you could force a patch into the webserver ;) Gtx. Dvorak
Current thread:
- Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 28)
- Re: Possibly exploitable overflow in Alibaba 2.0 W.H.J.Pinckaers (Oct 29)
- FreeBSD listen() again 3APA3A (Oct 30)
- Re: FreeBSD listen() again Sebastian (Oct 30)
- Re: Possibly exploitable overflow in Alibaba 2.0 Blue Boar (Oct 30)
- <Possible follow-ups>
- Re: Possibly exploitable overflow in Alibaba 2.0 Thomas Dullien (Oct 30)