Click here to Skip to main content
Click here to Skip to main content

Tagged as

gzTx - A File Transfer Daemon

, 1 Mar 2008
Rate this:
Please Sign up or sign in to vote.
Using on-the-fly compression during file transfer

Introduction

GzTx is an Simple File Transfer Application. Additionally, the files are compressed on-the-fly using the GZip algorithm, thanks to Java's in-built library.

Background

The reader is assumed to have basic knowledge of Java and Socket Programming. It also involves stream shovelling which has been discussed in my previous article.
This program is a follow up of my last Java program Shove.

What is It?

It's a pseudo FTP program...
The only distinguishing "feature" is that all files are compressed using GZip algorithm during the transfer.
The files are compressed on-the-fly... Therefore no temporary files are created. The utility can work both as server and client...

Rules

  1. Server cannot issue any commands.
  2. Server can access only the working directory. (Files outside the directory cannot be downloaded.)
  3. Client connects to server and issues commands.
  4. Client can upload or download a file to/from the server.

How to Use gzTx?

//*Setup a Sever*
c:\>java -classpath . GzTx -p45
//gzTx Server at port 45

//*Client Download*
c:\>java -classpath . GzTx -h200.x.x.x -fhaha.txt -D
//(200.x.x.x  = remote host) and (haha.txt = remote filename to download)
//-D tells client to download

//*Client Upload*
c:\>java -classpath . GzTx -h200.x.x.x -p45 -fhaha.txt -U
//(200.x.x.x  = remote host),(45 = remote port)  and (haha.txt = Local filename to upload)
//-U tells client to upload

Netcat Compatibility

Using Netcat to Download Files Off a GzTx Server

//*Server*
c:\>java -classpath . GzTx

//*Client*
nc x.x.x.x 90 < get.txt >temp.gz
gzip -d temp.gz

------------->8 get.txt 8<-----------------
haha.txt|D

------------->8 get.txt 8<-----------------

Note the carriage return after the first line... haha.txt is the remote filename... NetCat uploads are not possible without additional processing...

Technical Discussion

The Protocol

The protocol is pretty trivial. It's &quot;< filename >|< character >\r\n&quot;  followed by raw compressed data...

  • < filename > is the filename that will be used to upload/download
  • < character > is 'D' or 'U'

Bugs

When I first wrote it, I found out GzTx is susceptible to "relative path addressing" (using "..\..\win.ini" as filename). A remote attacker can overwrite arbitrary files using such an exploit string. So I tried to filter the path out... Now, using the GzTx application, this problem is circumvented but as you've seen above ("Using Netcat....") I've made it possible for non-gzTx clients to interact with GzTx servers... So technically, one can still send a &quot;..\..\winnt\win.ini|U\r\n&quot; exploit string... Now, in this case, the GzTx server will filter out the path and assume only 'win.ini'. but I can see cases where you can still exploit this bug using other "path addressing" ways. To rectify it, I'll need to strengthen the protocol, but I will loose my netcat compatibility with it... Frown | :(

Todo

Currently, GzTx supports only ONE(1) file transfer per client session... Need to implement multiple file transfer procedures... gzTx server can support one at a time...

History

  • Original draft : 2 March, 2008

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

st0le
Other Student
India India
No Biography provided

Comments and Discussions

 
GeneralMy vote of 5 Pinmembergndnet23-Jul-12 2:20 
GeneralDownload Problem Pinmemberabai.nk28-Apr-10 17:50 
GeneralRe: Download Problem Pinmemberst0le7-May-10 19:04 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140827.1 | Last Updated 2 Mar 2008
Article Copyright 2008 by st0le
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid