Here is exploit. It works as described in NAI 1996 bulletin
but.... there are two points i'm disagree with NAI.
1. ftp console client under FreeBSD 2.2.x IS vulnerable
2. Inspite I don't treat FTP as secured protocol IMHO it's
OS/software weakness, not FTP protocol weakness.
I'm less then year on Bugtraq and other security-related lists, so I
don't know if this problem was already discussed. I don't have
neither time no desire to dig it in archives. But the reason exploit
works against FreeBSD seems to be incorrect listen() implementation
together with ftp software weakness. If this problem (with listen())
is new, please let me know and i'll report it.
Works (confirmed) against next software under FreeBSD 2.2.1-2.2.5 (
i will be wondered if it works on some other OSes, cause the problem
1. Ftp servers (standard FTPD and WU-FTPD - seems it's not depend
on version) then clients connect in passive mode. Data can be
intersected then transmitted from server to client.
2. Standard console ftp client. Data can be injected (exploit
requires ftp server running on client machine - FTP is used to
predict port number).
I didn't tested injecting data in FTP server in active mode and
intersecting data from client in passive mode.
How it works:
1. Connects to ftp server on victim and
2. uses PASV command to allocate PORT on remote machine. Then
3. attacks few sequenced ports with connect().
4. If connect() succeeds waits some time for data to arrive. If
there is no data in timeout - send()s data to victim.
Exploit isn't perfect. May be the better way is to use RAW-sockets
and send SYN packets, but:
1. (disclaimer) This exploit just shows the vulnerability is. You
must not use it for purpose other then testing your software.