Results 1 to 3 of 3

Thread: Help with where to start looking in to a vulnerability

  1. #1
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    3

    Default Help with where to start looking in to a vulnerability

    Hello All,
    first of if this is the wrong forum for my post apologies. Quick overview - a few backs I discovered a vulnerability in a remote control gateway software my company was looking in to. It uses HTTP post request to transfer data between a client and a server via the gateway server. As the connection is not encrypted I found it was vulnerable to a pass-the-hash attack. While testing this I was using PAROS proxy I tried to do manual POST request and found I could reliably crash the gateway service. However I'm still trying to track down the actual issue. I believe it is down to a malformed header information in the request which crashes the gateway process. I've since moved to just using telnet as PAROS adds its own info into the header. I've reported this to the vendor who is looking in to it.

    My questions are:

    1) Can anyone recommend a HTTP post fuzzer?
    2) While I know I can cause a DoS, can anyone recommend any links that I could read to understand if it is possible to take this further to attempt code execution

    thanks in advance for any help

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Spike is a well known http fuzzer. You could also look at some intercepting proxies other than Paros, such as Burp Suite and WebScarab, which don't modify the request in ways other than what you tell them to.

    As for leveraging the bug to exploitation, have a read of some general buffer overflowing guides. Ive provided a few links to guides on this subject in a number of my previous posts, so hunt through my post history or search Google for results from this forum with my username and buffer overflow in them to find them.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    3

    Default

    Thanks for the reply, unfortuantely I found it appears the process can't handle a specific character rather than it overflowing any buffer


    Guess I'll have to accept it as just a DoS vulnerability

    thanks again


    2009-11-20 12:06:48.207, WinNT 5.1
    File ?, line 0, error code 997 (x3e5), tid=334, thread=i/o

    Build: V19.60 (28/09/09 11:57:53)

    Expression: Unhandled Exception (GPF)

    EAX=00000000 EBX=008D8DC0 ECX=00000000 EDX=008D5800 ESI=80000002
    EDI=00140000 EBP=019CFC2C ESP=019CF380 EIP=00423A50 FLG=00010206
    CS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000 TID=334
    EIP:
    8B 10 FF 52 28 89 85 AC F7 FF FF 8B 85 AC F7 FF FF 89 85 A8 F7 FF FF C7

    Callstack:
    0x00423A50 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x004236D8 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x00423327 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x00457491 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x00457423 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x00422359 RTgateway.exe (19.60.0.391): <unknown symbol>
    0x0042229E RTgateway.exe (19.60.0.391): <unknown symbol>
    0x7C80B729 kernel32.dll (5.01.2600.5781): GetModuleFileNameA + 442 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •