Vulnerability Development mailing list archives
DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win*
From: kain () EGOTRIP DK (Knud Erik Højgaard)
Date: Sat, 12 Feb 2000 01:48:57 +0100
i was just fooling around with my old bosses new company... ftp>o x*x*x*X*x*.dk 220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4) User (x*x*x*X*x*.dk:(none)): anonymous 331 User name OK, please send complete E-mail address as password Password: (lamer@) 230 User anonymous logged in successfully ftp> ls Connection closed by remote host. this puzzled me somewhat...never saw that before..so i started fooling around..whoa whaddya know... actually this is somewhat unprecise, i have no clue on buffer overruns and so on, but i brought down the ftpd... i did like this: telnet x*x*x*X*x*.dk 21 220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4) user [AAAAA(3433 A's to be precise)AAA] *no response* pass [AAAAA(3433 A's to be precise)AAA] *no response* quit *no response* and once more from the start...and hey presto, server stopped accepting connections at port 21. I'm sure less A's will do the trick,(i didnt see all 3433 a's in the CRT window) but as the server died i cant really experiment with it... the latest version (1.0.5.9, February 23, 2000 release.) can be obtained from www.argosoft.com this version is also vulnerable - i just installed it on my winNT 4.00.1381 with IE 5.5.00.2314.1003 and SP5 ... after a couple of simultaneous connections (3) with the user [AAAA] pass [AAAAA] and just random garbage like dfsasdfdssd adsfadslkfjadsl dslfhjslakhsdkj gkljdflkgsdf and so on (this seems to be doing the trick?) and letting the connections stay open, nt spits out a couple of hundred access violation at address [0040372 i think - the windows all closed] boxes. after a few crashes windows says '[10048] address already in use' when i try starting the server. only way to start the server again is a reboot. i wish i knew more. just doing it once, (the user aaaaa, pass aaaaa, random garbage) and letting the connection timeout gives an access violation at 41414141 when reconnecting , but doesn't crash the server. doing it once more crashes the server. I'm sure someone smarter than me can find an easier way of producing these results, but as i said, i am no expert in internal computer functions/buffer overruns. my english is shit, and i explain this very poorly, and i think someone else would do a better job..but hey.. this is my first post..im not even sure im posting it the right place. yours Knud Erik Højgaard kain () egotrip dk no mcse mcp and all that, just a lameass script kiddie who doesn't know what he's doing, but wants to learn.
Current thread:
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP), (continued)
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Liviu Daia (Mar 10)
- MS Frontpage shtml.dll Path Leak Vulnerability Greg (Mar 12)
- NT 4.0 (Workstation) Logon Authentication Vulnerability jhw1970 () HOTMAIL COM (Mar 14)
- Re: NT 4.0 (Workstation) Logon Authentication Vulnerability Phil Cox (Mar 14)
- Re: NT 4.0 (Workstation) Logon Authentication Vulnerability Maxime Rousseau (Mar 15)
- Re: MS Frontpage shtml.dll Path Leak Vulnerability Marc (Mar 14)
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Simon Tamás (Mar 13)
- (another) MS Outlook hole in embedded metafiles? Michael Wojcik (Mar 08)
- Re: spoofing the ethernet address Pavel Kankovsky (Mar 09)
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win* Knud Erik Højgaard (Feb 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Security auditing of network infrastructure Martin M Samson (Mar 11)
- information being stored from cgi forms Bob Johnson (Mar 10)
- Re: information being stored from cgi forms Crispin Cowan (Mar 10)
- Re: spoofing the ethernet address John Flux (Mar 14)
- Re: spoofing the ethernet address Juan M. Courcoul (Mar 15)
- Linux Mandrake 6.1 PAM/userhelper exploit Paulo Ribeiro (Mar 16)
- AIM 3.0 Buffer Overflow exploit lewkir () YAHOO COM (Mar 17)