Re: Possibly exploitable overflow in Alibaba 2.0

[W.H.J.Pinckaers () CPEDU RUG NL (W.H.J.Pinckaers)]

Hello all together,

(Greet stolen from dullien () gmx de) ;)

> Tried a little freeware webserver named Alibaba 2.0 today
> and found an exploitable overflow. I telnetted to 127.0.0.1:80
> and crashed it using
> POST [enter 1028 'x'] / HTTP/1.0

Could you point us to the web site that is distributing this software?
Along with a guess of the number of users of this webserver?

And on what OS//CPU does the webserver run? Linux ? Wintendo?

> From a disassembled listing I found that it uses a
>
> scanf("%s %s %s", szName, szFile, szSomething);
>
> where szFile is a local variable of 0x400 (=1024) bytes
> on the stack directly above the return address.
> Coding an exploit for this is going to be a little tricky as
> it mustn't have any 0x20, 0x00, 0x61-0x7A in it since
> these bytes are changes by the foregoing function
> that converts everything into uppercase.

I have such shellcode on the shelf, since this is needed by quite a
lot of other webservers to.  (Shellcode for Linux/X86) if you want it
drop me a mail.

An other solution is to put the shellcode in another place then in
the buffer that gets struppered. For instance in the Host: tag in the
http request so that the exploit would look like this:

POST lots of return addresses without 0x00, ' ' and 'A'-'Z' / HTTP/1.0
Host: your shellcode

(off course host can be replaced by all other valid tags, or even an
invalid tag)

> I contacted the authors but they stated since its freeware
> there will be no support to it :)
> If someone wants to code a full exploit, go ahead :)
(Are they running this webserver? if so you could force a patch into
the webserver ;)

Gtx.
    Dvorak