Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit

Title: Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit
Advisory ID: ZSL-2011-5040
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 28.08.2011
Summary
Minimal FTP server for windows. Uses only managed code. Works with Total commander.
Description
MiniFTPServer suffers from a denial of service vulnerability when passing large number of bytes after authentication, resulting in a crash. No need for a valid FTP command to exploit this issue.

--------------------------------------------------------------------------------

(1540.918): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
0:011> d edx
00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(.......d...
00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr..............
00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ....Ld..........
00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 ................
00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 ............P...
00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ....h..y....pd..
00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 .............r..
0:011> d
00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ..........\{....
00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 .....d......`..y
00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ...............y
00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ....A.A.A.A.A.A.
00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

--------------------------------------------------------------------------------

Vendor
webmaster442 - http://miniftpserver.codeplex.com
Affected Version
1.1.1.0
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
miniftp_dos.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17742
[2] http://securityreason.com/exploitalert/10756
[3] http://packetstormsecurity.org/files/104542
[4] http://www.securityfocus.com/bid/49332
[5] http://www.vfocus.net/art/20110829/9379.html
[6] http://www.net-security.org/vuln.php?id=15545
Changelog
[28.08.2011] - Initial release
[29.08.2011] - Added reference [1], [2] and [3]
[30.08.2011] - Added reference [4]
[02.09.2011] - Added reference [5]
[20.09.2011] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk