Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win*

From: kain () EGOTRIP DK (Knud Erik Højgaard)
Date: Sat, 12 Feb 2000 01:48:57 +0100

i was just fooling around with my old bosses new company...

ftp>o x*x*x*X*x*.dk
220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4)
User (x*x*x*X*x*.dk:(none)): anonymous
331 User name OK, please send complete E-mail address as password
Password: (lamer@)
230 User anonymous logged in successfully
ftp> ls
Connection closed by remote host.

this puzzled me somewhat...never saw that before..so i started fooling
around..whoa whaddya know...

actually this is somewhat unprecise, i have no clue on buffer overruns and
so on, but i brought down the ftpd...

i did like this:

telnet x*x*x*X*x*.dk 21

220 ArGoSoft FTP Server, Version 1.04 (1.0.4.4)

user [AAAAA(3433 A's to be precise)AAA]

*no response*

pass [AAAAA(3433 A's to be precise)AAA]

*no response*

quit

*no response*

and once more from the start...and hey presto, server stopped accepting
connections at port 21.

I'm sure less A's will do the trick,(i didnt see all 3433 a's in the CRT
window) but as the server died i cant really experiment with it...

the latest version (1.0.5.9, February 23, 2000 release.) can be obtained
from www.argosoft.com 

this version is also vulnerable - i just installed it on my winNT 4.00.1381
with IE 5.5.00.2314.1003 and SP5 ... after a couple of simultaneous
connections (3) with the 
user [AAAA] 
pass [AAAAA] 
and just random garbage like

dfsasdfdssd
adsfadslkfjadsl
dslfhjslakhsdkj
gkljdflkgsdf
and so on
(this seems to be doing the trick?)
and letting the connections stay open, nt spits out a couple of hundred
access violation at address [0040372 i think - the windows all closed] boxes.

after a few crashes windows says '[10048] address already in use' when i
try starting the server. only way to start the server again is a reboot.

i wish i knew more. just doing it once, (the user aaaaa, pass aaaaa, random
garbage) and letting the connection timeout gives an access violation at
41414141 when reconnecting , but doesn't crash the server. doing it once
more crashes the server. I'm sure someone smarter than me can find an
easier way of producing these results, but as i said, i am no expert in
internal computer functions/buffer overruns.

my english is shit, and i explain this very poorly, and i think someone
else would do a better job..but hey.. this is my first post..im not even
sure im posting it the right place.

yours

Knud Erik Højgaard
kain () egotrip dk

no mcse mcp and all that, just a lameass script kiddie who doesn't know
what he's doing, but wants to learn.
Previous By Date Next
Previous By Thread Next

Current thread: